Treat branch-deploy action as a source of HEAD ref for untrusted checkouts

Alvaro Muñoz · Alvaro Muñoz · commit 0473c3824f46 · 2024-05-14T11:38:39.000+02:00
diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
@@ -92,9 +92,15 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt
       or
       // 3rd party actions returning the PR head sha/ref
       exists(UsesStep step |
-        step.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and
-        // TODO: This should be read step of the head_sha or head_ref output vars
-        this.getArgument("ref").regexpMatch(".*head_ref.*") and
+        (
+          step.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and
+          // TODO: This should be read step of the head_sha or head_ref output vars
+          this.getArgument("ref").matches("%.head_ref%")
+          or
+          step.getCallee() = ["github/branch-deploy"] and
+          // TODO: This should be read step of the ref output var
+          this.getArgument("ref").matches("%.ref%")
+        ) and
         DataFlow::hasLocalFlowExpr(step, this.getArgumentExpr("ref"))
       )
       or
