fix: Use YamlScalar for booleans

Alvaro Muñoz · Alvaro Muñoz · commit 5d1da861a246 · 2024-09-06T23:21:41.000+02:00
diff --git a/javascript/ql/src/Security/CWE-312/ActionsArtifactLeak.ql b/javascript/ql/src/Security/CWE-312/ActionsArtifactLeak.ql
@@ -26,7 +26,7 @@ class ActionsCheckoutStep extends Actions::Step {
 /**
  * A `with:`/`persist-credentials` field sibling to `uses: actions/checkout`.
  */
-class ActionsCheckoutWithPersistCredentials extends YamlNode, YamlString {
+class ActionsCheckoutWithPersistCredentials extends YamlNode, YamlScalar {
   ActionsCheckoutStep step;
 
   ActionsCheckoutWithPersistCredentials() {
diff --git a/javascript/ql/test/query-tests/Security/CWE-312/.github/workflows/test.yml b/javascript/ql/test/query-tests/Security/CWE-312/.github/workflows/test.yml
@@ -62,4 +62,26 @@ jobs:
         with:
           name: file
           path: foo
+  test7: # NOT VULNERABLE
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2
+        with:
+          name: file
+          path: .
+  test8: # VULNERABLE
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: true
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2
+        with:
+          name: file
+          path: .
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-312/ActionsArtifactLeak.expected b/javascript/ql/test/query-tests/Security/CWE-312/ActionsArtifactLeak.expected
@@ -1,4 +1,5 @@
-| .github/workflows/test.yml:9:9:14:2 | name: " ... tifact" | A secret is exposed in an artifact uploaded by $@ | .github/workflows/test.yml:9:9:14:2 | name: " ... tifact" | actions/upload-artifact |
-| .github/workflows/test.yml:27:9:32:2 | name: " ... tifact" | A secret is exposed in an artifact uploaded by $@ | .github/workflows/test.yml:27:9:32:2 | name: " ... tifact" | actions/upload-artifact |
-| .github/workflows/test.yml:38:9:43:2 | name: " ... tifact" | A secret is exposed in an artifact uploaded by $@ | .github/workflows/test.yml:38:9:43:2 | name: " ... tifact" | actions/upload-artifact |
-| .github/workflows/test.yml:49:9:54:2 | name: " ... tifact" | A secret is exposed in an artifact uploaded by $@ | .github/workflows/test.yml:49:9:54:2 | name: " ... tifact" | actions/upload-artifact |
+| .github/workflows/test.yml:9:9:14:2 | name: " ... tifact" | A secret may be exposed in an artifact. |
+| .github/workflows/test.yml:27:9:32:2 | name: " ... tifact" | A secret may be exposed in an artifact. |
+| .github/workflows/test.yml:38:9:43:2 | name: " ... tifact" | A secret may be exposed in an artifact. |
+| .github/workflows/test.yml:49:9:54:2 | name: " ... tifact" | A secret may be exposed in an artifact. |
+| .github/workflows/test.yml:82:9:86:18 | name: " ... tifact" | A secret may be exposed in an artifact. |
