Skip to content

Commit b4096e0

Browse files
author
Alvaro Muñoz
committed
Refactor control checks
1 parent 60769f1 commit b4096e0

File tree

1 file changed

+37
-8
lines changed

1 file changed

+37
-8
lines changed

ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll

Lines changed: 37 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -221,17 +221,46 @@ class GhSHACheckout extends SHACheckoutStep instanceof Run {
221221
}
222222

223223
/** An If node that contains an actor, user or label check */
224-
class ControlCheck extends If {
225-
ControlCheck() {
224+
abstract class ControlCheck extends If { }
225+
226+
class LabelControlCheck extends ControlCheck {
227+
LabelControlCheck() {
228+
// eg: contains(github.event.pull_request.labels.*.name, 'safe to test')
229+
// eg: github.event.label.name == 'safe to test'
230+
exists(
231+
Utils::normalizeExpr(this.getCondition())
232+
.regexpFind([
233+
"\\bgithub\\.event\\.pull_request\\.labels\\b", "\\bgithub\\.event\\.label\\.name\\b"
234+
], _, _)
235+
)
236+
}
237+
}
238+
239+
class ActorControlCheck extends ControlCheck {
240+
ActorControlCheck() {
241+
// eg: contains(github.actor, 'dependabot')
242+
// eg: github.triggering_actor != 'CI Agent'
243+
// eg: github.event.pull_request.user.login == 'mybot'
244+
exists(
245+
Utils::normalizeExpr(this.getCondition())
246+
.regexpFind([
247+
"\\bgithub\\.actor\\b", "\\bgithub\\.triggering_actor\\b",
248+
"\\bgithub\\.event\\.comment\\.user\\.login\\b",
249+
"\\bgithub\\.event\\.pull_request\\.user\\.login\\b",
250+
], _, _)
251+
)
252+
}
253+
}
254+
255+
class AssociationControlCheck extends ControlCheck {
256+
AssociationControlCheck() {
257+
// eg: contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association)
226258
exists(
227259
Utils::normalizeExpr(this.getCondition())
228260
.regexpFind([
229-
"\\bgithub\\.actor\\b", // actor
230-
"\\bgithub\\.triggering_actor\\b", // actor
231-
"\\bgithub\\.event\\.comment\\.user\\.login\\b", //user
232-
"\\bgithub\\.event\\.pull_request\\.user\\.login\\b", //user
233-
"\\bgithub\\.event\\.pull_request\\.labels\\b", // label
234-
"\\bgithub\\.event\\.label\\.name\\b" // label
261+
"\\bgithub\\.event\\.comment\\.author_association\\b",
262+
"\\bgithub\\.event\\.issue\\.author_association\\b",
263+
"\\bgithub\\.event\\.pull_request\\.author_association\\b",
235264
], _, _)
236265
)
237266
}

0 commit comments

Comments
 (0)