feat(sources): New sources

Alvaro Muñoz · Alvaro Muñoz · commit 874e45e3e526 · 2024-03-18T13:22:53.000+01:00
This PR also adds the ability to not limit a source to a trigger event
diff --git a/ql/lib/ext/trilom_file-changes-action.model.yml b/ql/lib/ext/trilom_file-changes-action.model.yml
@@ -0,0 +1,11 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sourceModel
+    data:
+      # https://github.com/trilom/file-changes-action
+      # if `prNumber` is provided, the trigger event dont need to be `pull_request_target`
+      - ["trilom/file-changes-action", "*", "output.files", "*", "PR changed files"]
+      - ["trilom/file-changes-action", "*", "output.files_added", "*", "PR changed files"]
+      - ["trilom/file-changes-action", "*", "output.files_modified", "*", "PR changed files"]
+      - ["trilom/file-changes-action", "*", "output.files_removed", "*", "PR changed files"]
diff --git a/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql b/ql/src/Security/CWE-094/PrivilegedCodeInjection.ql
@@ -24,6 +24,7 @@ where
   w = source.getNode().asExpr().getEnclosingWorkflow() and
   (
     w instanceof ReusableWorkflow or
+    source.getNode().(RemoteFlowSource).getATriggerEvent() = "*" or
     w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent())
   )
 select sink.getNode(), source, sink,

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@ where`
`24`	`24`	`w = source.getNode().asExpr().getEnclosingWorkflow() and`
`25`	`25`	`(`
`26`	`26`	`w instanceof ReusableWorkflow or`
	`27`	`+ source.getNode().(RemoteFlowSource).getATriggerEvent() = "*" or`
`27`	`28`	`w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent())`
`28`	`29`	`)`
`29`	`30`	`select sink.getNode(), source, sink,`