fix: restrict EnvCtxAccessExpr to Env decarlations on the same file

Alvaro Muñoz · Alvaro Muñoz · commit f513a19c243b · 2024-02-23T11:53:47.000+01:00
diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll
@@ -500,15 +500,10 @@ class InputsCtxAccessExpr extends CtxAccessExpr {
   override string getFieldName() { result = fieldName }
 
   override Expression getRefExpr() {
-    exists(ReusableWorkflowStmt w |
-      w.getLocation().getFile() = this.getLocation().getFile() and
-      w.getInputsStmt().getInputExpr(fieldName) = result
-    )
+    result.getLocation().getFile() = this.getLocation().getFile() and
+    exists(ReusableWorkflowStmt w | w.getInputsStmt().getInputExpr(fieldName) = result)
     or
-    exists(CompositeActionStmt a |
-      a.getLocation().getFile() = this.getLocation().getFile() and
-      a.getInputsStmt().getInputExpr(fieldName) = result
-    )
+    exists(CompositeActionStmt a | a.getInputsStmt().getInputExpr(fieldName) = result)
   }
 }
 
@@ -528,6 +523,7 @@ class EnvCtxAccessExpr extends CtxAccessExpr {
   override string getFieldName() { result = fieldName }
 
   override Expression getRefExpr() {
+    result.getLocation().getFile() = this.getLocation().getFile() and
     exists(JobUsesExpr s | s.getEnvExpr(fieldName) = result)
     or
     exists(StepUsesExpr s | s.getEnvExpr(fieldName) = result)
