Consider actor and association checks as bypassable checks ONLY for issueOps

Author: Alvaro Muñoz

ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql

@@ -15,15 +15,17 @@ import actions
 import codeql.actions.security.UntrustedCheckoutQuery
 import codeql.actions.security.PoisonableSteps
 
-from LabelControlCheck check, MutableRefCheckoutStep checkout
+from ControlCheck check, MutableRefCheckoutStep checkout
 where
   // the mutable checkout step is protected by an access check
   check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and
   // the checked-out code may lead to arbitrary code execution
   checkout.getAFollowingStep() instanceof PoisonableStep and
   (
+    // label gates do not depend on the triggering event
     check instanceof LabelControlCheck
     or
+    // actor or Association gates apply to IssueOps only
     (check instanceof AssociationControlCheck or check instanceof ActorControlCheck) and
     check.getEnclosingJob().getATriggerEvent().getName().matches("%_comment")
   )

ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql

@@ -15,15 +15,17 @@ import actions
 import codeql.actions.security.UntrustedCheckoutQuery
 import codeql.actions.security.PoisonableSteps
 
-from LabelControlCheck check, MutableRefCheckoutStep checkout
+from ControlCheck check, MutableRefCheckoutStep checkout
 where
   // the mutable checkout step is protected by an access check
   check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and
   // there are no evidences that the  checked-out code can lead to arbitrary code execution
   not checkout.getAFollowingStep() instanceof PoisonableStep and
   (
+    // label gates do not depend on the triggering event
     check instanceof LabelControlCheck
     or
+    // actor or Association gates apply to IssueOps only
     (check instanceof AssociationControlCheck or check instanceof ActorControlCheck) and
     check.getEnclosingJob().getATriggerEvent().getName().matches("%_comment")
   )