Skip to content

Commit 3591db9

Browse files
author
Alvaro Muñoz
committed
Remove artifact source as a source of PR refs
1 parent ef713ff commit 3591db9

File tree

1 file changed

+16
-10
lines changed

1 file changed

+16
-10
lines changed

ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll

Lines changed: 16 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -15,8 +15,6 @@ private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig {
1515
predicate isSource(DataFlow::Node source) {
1616
(
1717
// remote flow sources
18-
source instanceof ArtifactSource
19-
or
2018
source instanceof GitHubCtxSource
2119
or
2220
source instanceof GitHubEventCtxSource
@@ -245,10 +243,14 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt
245243
exists(string value, Expression expr |
246244
value.regexpMatch(".*(head|branch|ref).*") and expr = this.getArgumentExpr("ref")
247245
|
248-
expr.(StepsExpression).getStepId() = value or
249-
expr.(SimpleReferenceExpression).getFieldName() = value or
250-
expr.(NeedsExpression).getNeededJobId() = value or
251-
expr.(JsonReferenceExpression).getAccessPath() = value or
246+
expr.(StepsExpression).getStepId() = value
247+
or
248+
expr.(SimpleReferenceExpression).getFieldName() = value
249+
or
250+
expr.(NeedsExpression).getNeededJobId() = value
251+
or
252+
expr.(JsonReferenceExpression).getAccessPath() = value
253+
or
252254
expr.(JsonReferenceExpression).getInnerExpression() = value
253255
)
254256
)
@@ -275,10 +277,14 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep {
275277
exists(string value, Expression expr |
276278
value.regexpMatch(".*(head|sha|commit).*") and expr = this.getArgumentExpr("ref")
277279
|
278-
expr.(StepsExpression).getStepId() = value or
279-
expr.(SimpleReferenceExpression).getFieldName() = value or
280-
expr.(NeedsExpression).getNeededJobId() = value or
281-
expr.(JsonReferenceExpression).getAccessPath() = value or
280+
expr.(StepsExpression).getStepId() = value
281+
or
282+
expr.(SimpleReferenceExpression).getFieldName() = value
283+
or
284+
expr.(NeedsExpression).getNeededJobId() = value
285+
or
286+
expr.(JsonReferenceExpression).getAccessPath() = value
287+
or
282288
expr.(JsonReferenceExpression).getInnerExpression() = value
283289
)
284290
)

0 commit comments

Comments
 (0)