Merge pull request #31 from github/branch_deploy_head_source

Treat branch-deploy action as a source of HEAD ref for untrusted checkouts

Author: Alvaro Muñoz

ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll

@@ -92,9 +92,15 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt
       or
       // 3rd party actions returning the PR head sha/ref
       exists(UsesStep step |
-        step.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and
-        // TODO: This should be read step of the head_sha or head_ref output vars
-        this.getArgument("ref").regexpMatch(".*head_ref.*") and
+        (
+          step.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and
+          // TODO: This should be read step of the head_sha or head_ref output vars
+          this.getArgument("ref").matches("%.head_ref%")
+          or
+          step.getCallee() = ["github/branch-deploy"] and
+          // TODO: This should be read step of the ref output var
+          this.getArgument("ref").matches("%.ref%")
+        ) and
         DataFlow::hasLocalFlowExpr(step, this.getArgumentExpr("ref"))
       )
       or

ql/lib/qlpack.yml

@@ -2,7 +2,7 @@
 library: true
 warnOnImplicitThis: true
 name: githubsecuritylab/actions-all
-version: 0.0.22
+version: 0.0.23
 dependencies:
   codeql/util: ^0.2.0
   codeql/yaml: ^0.1.2

ql/src/qlpack.yml

@@ -1,7 +1,7 @@
 ---
 library: false
 name: githubsecuritylab/actions-queries
-version: 0.0.22
+version: 0.0.23
 groups:
   - actions
   - queries