fix(fn): Apply json wrappers to source regexps

Alvaro Muñoz · Alvaro Muñoz · commit 6cb15f06bcea · 2024-03-15T13:54:21.000+01:00
diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll
@@ -9,6 +9,11 @@ module Utils {
           .regexpReplaceAll("\\[\"([a-zA-Z0-9_\\*\\-]+)\"\\]", ".$1")
           .regexpReplaceAll("\\s*\\.\\s*", ".")
   }
+
+  bindingset[regex]
+  string wrapRegexp(string regex) {
+    result = ["\\b" + regex + "\\b", "fromJSON\\(" + regex + "\\)", "toJSON\\(" + regex + "\\)"]
+  }
 }
 
 class AstNode instanceof AstNodeImpl {
diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll
@@ -813,28 +813,24 @@ abstract class SimpleReferenceExpressionImpl extends ExpressionImpl {
 }
 
 private string stepsCtxRegex() {
-  result = wrapRegexp("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)")
+  result = Utils::wrapRegexp("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)")
 }
 
 private string needsCtxRegex() {
-  result = wrapRegexp("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)")
+  result = Utils::wrapRegexp("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)")
 }
 
 private string jobsCtxRegex() {
-  result = wrapRegexp("jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)")
+  result = Utils::wrapRegexp("jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)")
 }
 
-private string envCtxRegex() { result = wrapRegexp("env\\.([A-Za-z0-9_-]+)") }
+private string envCtxRegex() { result = Utils::wrapRegexp("env\\.([A-Za-z0-9_-]+)") }
 
-private string matrixCtxRegex() { result = wrapRegexp("matrix\\.([A-Za-z0-9_-]+)") }
+private string matrixCtxRegex() { result = Utils::wrapRegexp("matrix\\.([A-Za-z0-9_-]+)") }
 
 private string inputsCtxRegex() {
-  result = wrapRegexp(["inputs\\.([A-Za-z0-9_-]+)", "github\\.event\\.inputs\\.([A-Za-z0-9_-]+)"])
-}
-
-bindingset[regex]
-private string wrapRegexp(string regex) {
-  result = ["\\b" + regex + "\\b", "fromJSON\\(" + regex + "\\)", "toJSON\\(" + regex + "\\)"]
+  result =
+    Utils::wrapRegexp(["inputs\\.([A-Za-z0-9_-]+)", "github\\.event\\.inputs\\.([A-Za-z0-9_-]+)"])
 }
 
 /**
diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll
@@ -28,7 +28,7 @@ private predicate isExternalUserControlledIssue(string context) {
   exists(string reg |
     reg = ["\\bgithub\\.event\\.issue\\.title\\b", "\\bgithub\\.event\\.issue\\.body\\b"]
   |
-    Utils::normalizeExpr(context).regexpMatch(reg)
+    Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))
   )
 }
 
@@ -45,18 +45,20 @@ private predicate isExternalUserControlledPullRequest(string context) {
         "\\bgithub\\.event\\.pull_request\\.head\\.ref\\b", "\\bgithub\\.head_ref\\b"
       ]
   |
-    Utils::normalizeExpr(context).regexpMatch(reg)
+    Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))
   )
 }
 
 bindingset[context]
 private predicate isExternalUserControlledReview(string context) {
-  Utils::normalizeExpr(context).regexpMatch("\\bgithub\\.event\\.review\\.body\\b")
+  Utils::normalizeExpr(context)
+      .regexpMatch(Utils::wrapRegexp("\\bgithub\\.event\\.review\\.body\\b"))
 }
 
 bindingset[context]
 private predicate isExternalUserControlledComment(string context) {
-  Utils::normalizeExpr(context).regexpMatch("\\bgithub\\.event\\.comment\\.body\\b")
+  Utils::normalizeExpr(context)
+      .regexpMatch(Utils::wrapRegexp("\\bgithub\\.event\\.comment\\.body\\b"))
 }
 
 bindingset[context]
@@ -68,7 +70,7 @@ private predicate isExternalUserControlledGollum(string context) {
         "\\bgithub\\.event\\.pages\\[[0-9]+\\]\\.title\\b"
       ]
   |
-    Utils::normalizeExpr(context).regexpMatch(reg)
+    Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))
   )
 }
 
@@ -89,7 +91,7 @@ private predicate isExternalUserControlledCommit(string context) {
         "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name\\b",
       ]
   |
-    Utils::normalizeExpr(context).regexpMatch(reg)
+    Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))
   )
 }
 
@@ -98,7 +100,7 @@ private predicate isExternalUserControlledDiscussion(string context) {
   exists(string reg |
     reg = ["\\bgithub\\.event\\.discussion\\.title\\b", "\\bgithub\\.event\\.discussion\\.body\\b"]
   |
-    Utils::normalizeExpr(context).regexpMatch(reg)
+    Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))
   )
 }
 
@@ -118,7 +120,7 @@ private predicate isExternalUserControlledWorkflowRun(string context) {
         "\\bgithub\\.event\\.workflow_run\\.head_commit\\.committer\\.name\\b",
       ]
   |
-    Utils::normalizeExpr(context).regexpMatch(reg)
+    Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))
   )
 }
 
diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml
@@ -0,0 +1,59 @@
+name: Issue Comment Created
+
+on:
+  issue_comment:
+    types:
+      - created
+
+jobs:
+  jira:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.comment.body == '/jira ticket' }}
+    steps:
+      - run: echo ${{ github.event.comment.body }}
+
+      - name: Login
+        uses: atlassian/gajira-login@v3
+        env:
+          JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
+          JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
+          JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
+
+      - name: SearchParam
+        run: echo 'summary ~ ${{ toJSON(github.event.issue.title)}} AND project=${{ secrets.JIRA_PROJECT }}'
+
+      - name: Search
+        id: search
+        uses: tomhjp/gh-action-jira-search@v0.2.1
+        with:
+          jql: 'summary ~ ${{ toJSON(github.event.issue.title)}} AND project=${{ secrets.JIRA_PROJECT }}'
+
+      - name: Log
+        run: echo "Found issue ${{ steps.search.outputs.issue }}"
+
+      - name: Create
+        id: create
+        if: steps.search.outputs.issue == ''
+        uses: atlassian/gajira-create@v3
+        with:
+          project: ${{ secrets.JIRA_PROJECT }}
+          issuetype: Task
+          summary: '${{ github.event.repository.name }}: ${{ github.event.issue.title }}'
+          description: |
+            *Issue Link:* ${{ github.event.issue.html_url }}
+            
+            ${{ github.event.issue.body }}
+          fields: '{"customfield_10006": ${{ toJSON(secrets.JIRA_EPIC_TICKET) }}, "customfield_17401":{"value":${{ toJSON( secrets.JIRA_LAYER_CAKE )}}}}'
+
+      - name: Add Comment
+        if: steps.search.outputs.issue == '' && steps.create.outputs.issue != ''
+        uses: actions/github-script@v6
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: '👋 Thanks, Jira [${{steps.create.outputs.issue}}] ticket created.'
+            })
diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected
@@ -131,6 +131,8 @@ nodes
 | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | semmle.label | env.job_env |
 | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | semmle.label | env.step_env |
 | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | semmle.label | toJSON(github.event.issue.title) |
 | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
 | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label |
@@ -234,6 +236,8 @@ subpaths
 | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} |
 | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} |
 | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} |
+| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} |
+| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} |
 | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} |
 | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} |
 | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} |
diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected
@@ -131,6 +131,8 @@ nodes
 | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | semmle.label | env.job_env |
 | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | semmle.label | env.step_env |
 | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | semmle.label | toJSON(github.event.issue.title) |
 | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
 | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label |
@@ -229,6 +231,8 @@ subpaths
 | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} |
 | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} |
 | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} |
+| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} |
+| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} |
 | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} |
 | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} |
 | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} |

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,11 @@ module Utils {`
`9`	`9`	`.regexpReplaceAll("\\[\"([a-zA-Z0-9_\\*\\-]+)\"\\]", ".$1")`
`10`	`10`	`.regexpReplaceAll("\\s\\.\\s", ".")`
`11`	`11`	`}`
	`12`	`+`
	`13`	`+ bindingset[regex]`
	`14`	`+ string wrapRegexp(string regex) {`
	`15`	`+ result = ["\\b" + regex + "\\b", "fromJSON\\(" + regex + "\\)", "toJSON\\(" + regex + "\\)"]`
	`16`	`+ }`
`12`	`17`	`}`
`13`	`18`
`14`	`19`	`class AstNode instanceof AstNodeImpl {`
Original file line number	Diff line number	Diff line change
`@@ -813,28 +813,24 @@ abstract class SimpleReferenceExpressionImpl extends ExpressionImpl {`
`813`	`813`	`}`
`814`	`814`
`815`	`815`	`private string stepsCtxRegex() {`
`816`		`- result = wrapRegexp("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)")`
	`816`	`+ result = Utils::wrapRegexp("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)")`
`817`	`817`	`}`
`818`	`818`
`819`	`819`	`private string needsCtxRegex() {`
`820`		`- result = wrapRegexp("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)")`
	`820`	`+ result = Utils::wrapRegexp("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)")`
`821`	`821`	`}`
`822`	`822`
`823`	`823`	`private string jobsCtxRegex() {`
`824`		`- result = wrapRegexp("jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)")`
	`824`	`+ result = Utils::wrapRegexp("jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)")`
`825`	`825`	`}`
`826`	`826`
`827`		`-private string envCtxRegex() { result = wrapRegexp("env\\.([A-Za-z0-9_-]+)") }`
	`827`	`+private string envCtxRegex() { result = Utils::wrapRegexp("env\\.([A-Za-z0-9_-]+)") }`
`828`	`828`
`829`		`-private string matrixCtxRegex() { result = wrapRegexp("matrix\\.([A-Za-z0-9_-]+)") }`
	`829`	`+private string matrixCtxRegex() { result = Utils::wrapRegexp("matrix\\.([A-Za-z0-9_-]+)") }`
`830`	`830`
`831`	`831`	`private string inputsCtxRegex() {`
`832`		`- result = wrapRegexp(["inputs\\.([A-Za-z0-9_-]+)", "github\\.event\\.inputs\\.([A-Za-z0-9_-]+)"])`
`833`		`-}`
`834`		`-`
`835`		`-bindingset[regex]`
`836`		`-private string wrapRegexp(string regex) {`
`837`		`- result = ["\\b" + regex + "\\b", "fromJSON\\(" + regex + "\\)", "toJSON\\(" + regex + "\\)"]`
	`832`	`+ result =`
	`833`	`+ Utils::wrapRegexp(["inputs\\.([A-Za-z0-9_-]+)", "github\\.event\\.inputs\\.([A-Za-z0-9_-]+)"])`
`838`	`834`	`}`
`839`	`835`
`840`	`836`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ private predicate isExternalUserControlledIssue(string context) {`
`28`	`28`	`exists(string reg \|`
`29`	`29`	`reg = ["\\bgithub\\.event\\.issue\\.title\\b", "\\bgithub\\.event\\.issue\\.body\\b"]`
`30`	`30`	`\|`
`31`		`- Utils::normalizeExpr(context).regexpMatch(reg)`
	`31`	`+ Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))`
`32`	`32`	`)`
`33`	`33`	`}`
`34`	`34`
`@@ -45,18 +45,20 @@ private predicate isExternalUserControlledPullRequest(string context) {`
`45`	`45`	`"\\bgithub\\.event\\.pull_request\\.head\\.ref\\b", "\\bgithub\\.head_ref\\b"`
`46`	`46`	`]`
`47`	`47`	`\|`
`48`		`- Utils::normalizeExpr(context).regexpMatch(reg)`
	`48`	`+ Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))`
`49`	`49`	`)`
`50`	`50`	`}`
`51`	`51`
`52`	`52`	`bindingset[context]`
`53`	`53`	`private predicate isExternalUserControlledReview(string context) {`
`54`		`- Utils::normalizeExpr(context).regexpMatch("\\bgithub\\.event\\.review\\.body\\b")`
	`54`	`+ Utils::normalizeExpr(context)`
	`55`	`+ .regexpMatch(Utils::wrapRegexp("\\bgithub\\.event\\.review\\.body\\b"))`
`55`	`56`	`}`
`56`	`57`
`57`	`58`	`bindingset[context]`
`58`	`59`	`private predicate isExternalUserControlledComment(string context) {`
`59`		`- Utils::normalizeExpr(context).regexpMatch("\\bgithub\\.event\\.comment\\.body\\b")`
	`60`	`+ Utils::normalizeExpr(context)`
	`61`	`+ .regexpMatch(Utils::wrapRegexp("\\bgithub\\.event\\.comment\\.body\\b"))`
`60`	`62`	`}`
`61`	`63`
`62`	`64`	`bindingset[context]`
`@@ -68,7 +70,7 @@ private predicate isExternalUserControlledGollum(string context) {`
`68`	`70`	`"\\bgithub\\.event\\.pages\\[[0-9]+\\]\\.title\\b"`
`69`	`71`	`]`
`70`	`72`	`\|`
`71`		`- Utils::normalizeExpr(context).regexpMatch(reg)`
	`73`	`+ Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))`
`72`	`74`	`)`
`73`	`75`	`}`
`74`	`76`
`@@ -89,7 +91,7 @@ private predicate isExternalUserControlledCommit(string context) {`
`89`	`91`	`"\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name\\b",`
`90`	`92`	`]`
`91`	`93`	`\|`
`92`		`- Utils::normalizeExpr(context).regexpMatch(reg)`
	`94`	`+ Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))`
`93`	`95`	`)`
`94`	`96`	`}`
`95`	`97`
`@@ -98,7 +100,7 @@ private predicate isExternalUserControlledDiscussion(string context) {`
`98`	`100`	`exists(string reg \|`
`99`	`101`	`reg = ["\\bgithub\\.event\\.discussion\\.title\\b", "\\bgithub\\.event\\.discussion\\.body\\b"]`
`100`	`102`	`\|`
`101`		`- Utils::normalizeExpr(context).regexpMatch(reg)`
	`103`	`+ Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))`
`102`	`104`	`)`
`103`	`105`	`}`
`104`	`106`
`@@ -118,7 +120,7 @@ private predicate isExternalUserControlledWorkflowRun(string context) {`
`118`	`120`	`"\\bgithub\\.event\\.workflow_run\\.head_commit\\.committer\\.name\\b",`
`119`	`121`	`]`
`120`	`122`	`\|`
`121`		`- Utils::normalizeExpr(context).regexpMatch(reg)`
	`123`	`+ Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))`
`122`	`124`	`)`
`123`	`125`	`}`
`124`	`126`