Skip to content

Commit d3bff87

Browse files
author
Alvaro Muñoz
committed
Add github to json contexts
1 parent 5f8bab0 commit d3bff87

File tree

4 files changed

+16
-2
lines changed

4 files changed

+16
-2
lines changed

ql/lib/codeql/actions/dataflow/FlowSources.qll

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -178,7 +178,7 @@ private predicate jsonEvent(string context) {
178178
reg =
179179
[
180180
// json
181-
"github\\.event", "github\\.event\\.client_payload", "github\\.event\\.comment",
181+
"github", "github\\.event", "github\\.event\\.client_payload", "github\\.event\\.comment",
182182
"github\\.event\\.commits", "github\\.event\\.discussion", "github\\.event\\.head_commit",
183183
"github\\.event\\.head_commit\\.author", "github\\.event\\.head_commit\\.committer",
184184
"github\\.event\\.inputs", "github\\.event\\.issue", "github\\.event\\.merge_group",
@@ -262,7 +262,7 @@ class GitHubEventJsonSource extends RemoteFlowSource {
262262
)
263263
or
264264
contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), _) and
265-
Utils::normalizeExpr(context).regexpMatch(".*\\bgithub.event\\b.*")
265+
Utils::normalizeExpr(context).regexpMatch(".*\\bgithub(\\.event)?\\b.*")
266266
)
267267
) and
268268
flag = "json"

ql/test/query-tests/Security/CWE-094/.github/workflows/test4.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,3 +17,11 @@ jobs:
1717
- name: Dump GitHub issue context
1818
id: github_issue_step
1919
run: echo '${{ toJSON(github.event.issue) }}'
20+
21+
- name: Dump GitHub issue context
22+
id: github_issue_step
23+
run: echo '${{ toJSON(github) }}'
24+
25+
- name: Dump GitHub issue context
26+
id: github_issue_step
27+
run: echo '${{ toJSON(github.event) }}'

ql/test/query-tests/Security/CWE-094/CodeInjection.expected

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -229,6 +229,8 @@ nodes
229229
| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload |
230230
| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | semmle.label | toJSON(github.event.comment) |
231231
| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) |
232+
| .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | semmle.label | toJSON(github) |
233+
| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | semmle.label | toJSON(github.event) |
232234
| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
233235
| .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 |
234236
| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |

ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -229,6 +229,8 @@ nodes
229229
| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload |
230230
| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | semmle.label | toJSON(github.event.comment) |
231231
| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) |
232+
| .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | semmle.label | toJSON(github) |
233+
| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | semmle.label | toJSON(github.event) |
232234
| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
233235
| .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 |
234236
| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |
@@ -340,6 +342,8 @@ subpaths
340342
| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} |
341343
| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | ${{ toJSON(github.event.comment) }} |
342344
| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} |
345+
| .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | ${{ toJSON(github) }} |
346+
| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | ${{ toJSON(github.event) }} |
343347
| .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} |
344348
| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} |
345349
| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} |

0 commit comments

Comments
 (0)