Skip to content

Commit db328f0

Browse files
author
Alvaro Muñoz
committed
Improve Association check
1 parent 4f075f3 commit db328f0

File tree

1 file changed

+15
-12
lines changed

1 file changed

+15
-12
lines changed

ql/lib/codeql/actions/security/ControlChecks.qll

Lines changed: 15 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,7 @@ abstract class ControlCheck extends AstNode {
6666
}
6767

6868
abstract class AssociationCheck extends ControlCheck {
69-
// Checks if the actor is a COLLABORATOR of the repo
69+
// Checks if the actor is a MEMBER/OWNER the repo
7070
// - they are effective against pull requests and workflow_run (since these are triggered by pull_requests) since they can control who is making the PR
7171
// - they are not effective against issue_comment since the author of the comment may not be the same as the author of the PR
7272
override predicate protectsCategoryAndEvent(string category, string event) {
@@ -182,23 +182,26 @@ class RepositoryIfCheck extends RepositoryCheck instanceof If {
182182
class AssociationIfCheck extends AssociationCheck instanceof If {
183183
AssociationIfCheck() {
184184
// eg: contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association)
185-
exists(
186-
normalizeExpr(this.getCondition())
187-
.regexpFind([
188-
"\\bgithub\\.event\\.comment\\.author_association\\b",
189-
"\\bgithub\\.event\\.issue\\.author_association\\b",
190-
"\\bgithub\\.event\\.pull_request\\.author_association\\b",
191-
], _, _)
192-
)
185+
normalizeExpr(this.getCondition())
186+
.splitAt("\n")
187+
.regexpMatch([
188+
".*\\bgithub\\.event\\.comment\\.author_association\\b.*",
189+
".*\\bgithub\\.event\\.issue\\.author_association\\b.*",
190+
".*\\bgithub\\.event\\.pull_request\\.author_association\\b.*",
191+
]) and
192+
normalizeExpr(this.getCondition()).splitAt("\n").regexpMatch(".*\\bMEMBER\\b.*") and
193+
normalizeExpr(this.getCondition()).splitAt("\n").regexpMatch(".*\\bOWNER\\b.*")
193194
}
194195
}
195196

196197
class AssociationActionCheck extends AssociationCheck instanceof UsesStep {
197198
AssociationActionCheck() {
198199
this.getCallee() = "TheModdingInquisition/actions-team-membership" and
199-
not exists(this.getArgument("exit"))
200-
or
201-
this.getArgument("exit") = "true"
200+
(
201+
not exists(this.getArgument("exit"))
202+
or
203+
this.getArgument("exit") = "true"
204+
)
202205
}
203206
}
204207

0 commit comments

Comments
 (0)