Add default branch name check

Author: JarLob

ql/lib/codeql/actions/dataflow/ExternalFlow.qll

@@ -3,10 +3,16 @@ private import codeql.actions.DataFlow
 private import actions
 
 predicate workflowDataModel(
-  string path, string visibility, string job, string secrets_source, string permissions,
+  string path, string trigger, string job, string secrets_source, string permissions,
   string runner
 ) {
-  Extensions::workflowDataModel(path, visibility, job, secrets_source, permissions, runner)
+  Extensions::workflowDataModel(path, trigger, job, secrets_source, permissions, runner)
+}
+
+predicate repositoryDataModel(
+  string visibility, string default_branch_name
+) {
+  Extensions::repositoryDataModel(visibility, default_branch_name)
 }
 
 /**

ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll

@@ -24,6 +24,10 @@ extensible predicate sinkModel(
 );
 
 extensible predicate workflowDataModel(
-  string path, string visibility, string job, string secrets_source, string permissions,
+  string path, string trigger, string job, string secrets_source, string permissions,
   string runner
 );
+
+extensible predicate repositoryDataModel(
+  string visibility, string default_branch_name
+);

ql/lib/codeql/actions/security/CachePoisoningQuery.qll

@@ -10,17 +10,18 @@ string defaultBranchTriggerEvent() {
     ]
 }
 
-string defaultBranchNames() { result = ["main", "master", "default"] }
-
 predicate runsOnDefaultBranch(Job j) {
   exists(Event e |
     j.getATriggerEvent() = e and
+    exists(string default_branch_name |
+      repositoryDataModel(_, default_branch_name)
+    ) and
     (
       e.getName() = defaultBranchTriggerEvent() and
       not e.getName() = "pull_request_target"
       or
       e.getName() = "push" and
-      e.getAPropertyValue("branches") = defaultBranchNames()
+      e.getAPropertyValue("branches") = default_branch_name
       or
       e.getName() = "pull_request_target" and
       (
@@ -30,18 +31,18 @@ predicate runsOnDefaultBranch(Job j) {
         // only branches-ignore filter
         e.hasProperty("branches-ignore") and
         not e.hasProperty("branches") and
-        not e.getAPropertyValue("branches-ignore") = defaultBranchNames()
+        not e.getAPropertyValue("branches-ignore") = default_branch_name
         or
         // only branches filter
         e.hasProperty("branches") and
         not e.hasProperty("branches-ignore") and
-        e.getAPropertyValue("branches") = defaultBranchNames()
+        e.getAPropertyValue("branches") = default_branch_name
         or
         // branches and branches-ignore filters
         e.hasProperty("branches") and
         e.hasProperty("branches-ignore") and
-        e.getAPropertyValue("branches") = defaultBranchNames() and
-        not e.getAPropertyValue("branches-ignore") = defaultBranchNames()
+        e.getAPropertyValue("branches") = default_branch_name and
+        not e.getAPropertyValue("branches-ignore") = default_branch_name
       )
     )
   )

ql/lib/ext/workflow-models/workflow-models.yml

@@ -1,4 +1,10 @@
 extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: repositoryDataModel
+    data: [
+      - ["public", "main"]
+    ]
   - addsTo:
       pack: githubsecuritylab/actions-all
       extensible: workflowDataModel

ql/test/library-tests/workflowenum.ql

@@ -2,7 +2,7 @@ import actions
 import codeql.actions.dataflow.internal.ExternalFlowExtensions as Extensions
 
 from
-  string path, string visibility, string job, string secrets_source, string permissions,
+  string path, string trigger, string job, string secrets_source, string permissions,
   string runner
-where Extensions::workflowDataModel(path, visibility, job, secrets_source, permissions, runner)
-select visibility, path, job, secrets_source, permissions, runner
+where Extensions::workflowDataModel(path, trigger, job, secrets_source, permissions, runner)
+select trigger, path, job, secrets_source, permissions, runner