Skip to content

Commit 7e89c04

Browse files
author
Alvaro Muñoz
authored
Merge pull request #96 from github/fix/repo_control_check
fix: Repository checks do not protect workflow_run triggered jobs
2 parents 4edfdb4 + e0a2eb9 commit 7e89c04

File tree

11 files changed

+128
-77
lines changed

11 files changed

+128
-77
lines changed

ql/lib/codeql/actions/security/ControlChecks.qll

Lines changed: 25 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -99,9 +99,6 @@ abstract class RepositoryCheck extends ControlCheck {
9999
// for pull_requests, that means that it triggers only on local branches or repos from the same org
100100
// - they are effective against pull requests/workflow_run since they can control where the code is coming from
101101
// - they are not effective against issue_comment since the repository will always be the same
102-
override predicate protectsCategoryAndEvent(string category, string event) {
103-
event = ["pull_request_target", "workflow_run"] and category = any_relevant_category()
104-
}
105102
}
106103

107104
abstract class PermissionCheck extends ControlCheck {
@@ -173,9 +170,9 @@ class ActorIfCheck extends ActorCheck instanceof If {
173170
}
174171
}
175172

176-
class RepositoryIfCheck extends RepositoryCheck instanceof If {
177-
RepositoryIfCheck() {
178-
// eg: github.repository == 'test/foo'
173+
class PullRequestTargetRepositoryIfCheck extends RepositoryCheck instanceof If {
174+
PullRequestTargetRepositoryIfCheck() {
175+
// eg: github.event.pull_request.head.repo.full_name == github.repository
179176
exists(
180177
normalizeExpr(this.getCondition())
181178
// github.repository in a workflow_run event triggered by a pull request is the base repository
@@ -188,6 +185,28 @@ class RepositoryIfCheck extends RepositoryCheck instanceof If {
188185
], _, _)
189186
)
190187
}
188+
189+
override predicate protectsCategoryAndEvent(string category, string event) {
190+
event = "pull_request_target" and category = any_relevant_category()
191+
}
192+
}
193+
194+
class WorkflowRunRepositoryIfCheck extends RepositoryCheck instanceof If {
195+
WorkflowRunRepositoryIfCheck() {
196+
// eg: github.event.workflow_run.head_repository.full_name == github.repository
197+
exists(
198+
normalizeExpr(this.getCondition())
199+
// github.repository in a workflow_run event triggered by a pull request is the base repository
200+
.regexpFind([
201+
"\\bgithub\\.event\\.workflow_run\\.head_repository\\.full_name\\b",
202+
"\\bgithub\\.event\\.workflow_run\\.head_repository\\.owner\\.name\\b"
203+
], _, _)
204+
)
205+
}
206+
207+
override predicate protectsCategoryAndEvent(string category, string event) {
208+
event = "workflow_run" and category = any_relevant_category()
209+
}
191210
}
192211

193212
class AssociationIfCheck extends AssociationCheck instanceof If {

ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml

Lines changed: 1 addition & 54 deletions
Original file line numberDiff line numberDiff line change
@@ -8,37 +8,11 @@ on:
88

99
jobs:
1010
comment:
11-
if: ${{ github.repository_owner == 'cloudflare' }}
11+
if: ${{ github.repository_owner == 'foo' }}
1212
runs-on: ubuntu-latest
1313
name: Write comment to the PR
1414
steps:
15-
- name: "Put PR and workflow ID on the environment"
16-
uses: actions/github-script@v7
17-
with:
18-
script: |
19-
// Copied from .github/extract-pr-and-workflow-id.js
20-
const allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
21-
owner: context.repo.owner,
22-
repo: context.repo.repo,
23-
run_id: context.payload.workflow_run.id,
24-
});
25-
26-
for (const artifact of allArtifacts.data.artifacts) {
27-
// Extract the PR number from the artifact name
28-
const match = /^npm-package-(.+)-(\d+)$/.exec(artifact.name);
29-
if (match) {
30-
const packageName = match[1].toUpperCase();
31-
require("fs").appendFileSync(
32-
process.env.GITHUB_ENV,
33-
`\nWORKFLOW_RUN_PR_FOR_${packageName}=${match[2]}` +
34-
`\nWORKFLOW_RUN_ID_FOR_${packageName}=${context.payload.workflow_run.id}`
35-
);
36-
}
37-
}
38-
3915
- name: "Download runtime versions"
40-
# Regular `actions/download-artifact` doesn't support downloading
41-
# artifacts from another workflow
4216
uses: dawidd6/action-download-artifact@v2
4317
with:
4418
run_id: ${{ github.event.workflow_run.id }}
@@ -52,30 +26,3 @@ jobs:
5226
cat runtime-versions.md
5327
echo EOF
5428
} >> "$GITHUB_ENV"
55-
56-
- name: "Download pre-release report"
57-
uses: dawidd6/action-download-artifact@v2
58-
with:
59-
run_id: ${{ github.event.workflow_run.id }}
60-
name: prerelease-report.md
61-
62-
- name: "Put pre-release report on the environment"
63-
id: prerelease_report
64-
run: |
65-
{
66-
echo 'PRERELEASE_REPORT<<EOF'
67-
cat prerelease-report.md
68-
echo EOF
69-
} >> "$GITHUB_ENV"
70-
71-
- name: "Comment on PR with Wrangler link"
72-
uses: marocchino/sticky-pull-request-comment@v2
73-
with:
74-
number: ${{ env.WORKFLOW_RUN_PR_FOR_WRANGLER }}
75-
message: |
76-
${{ env.PRERELEASE_REPORT }}
77-
78-
---
79-
80-
${{ env.RUNTIME_VERSIONS }}
81-

ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected

Lines changed: 4 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -20,10 +20,7 @@ edges
2020
| .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | |
2121
| .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | |
2222
| .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | |
23-
| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:49:14:54:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | |
24-
| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:56:9:62:6 | Uses Step | provenance | |
25-
| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | |
26-
| .github/workflows/test11.yml:56:9:62:6 | Uses Step | .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | |
23+
| .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | |
2724
| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | |
2825
| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:55:9:61:6 | Uses Step | provenance | |
2926
| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | |
@@ -69,10 +66,8 @@ nodes
6966
| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n |
7067
| .github/workflows/test10.yml:20:9:26:6 | Uses Step | semmle.label | Uses Step |
7168
| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | semmle.label | cat foo/.github/java-config.env >> $GITHUB_ENV |
72-
| .github/workflows/test11.yml:39:9:47:6 | Uses Step | semmle.label | Uses Step |
73-
| .github/workflows/test11.yml:49:14:54:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n |
74-
| .github/workflows/test11.yml:56:9:62:6 | Uses Step | semmle.label | Uses Step |
75-
| .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n |
69+
| .github/workflows/test11.yml:15:9:21:6 | Uses Step | semmle.label | Uses Step |
70+
| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n |
7671
| .github/workflows/test12.yml:38:9:46:6 | Uses Step | semmle.label | Uses Step |
7772
| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n |
7873
| .github/workflows/test12.yml:55:9:61:6 | Uses Step | semmle.label | Uses Step |
@@ -100,6 +95,7 @@ subpaths
10095
| .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n |
10196
| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n |
10297
| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV |
98+
| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n |
10399
| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n |
104100
| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n |
105101
| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n |

ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected

Lines changed: 3 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -20,10 +20,7 @@ edges
2020
| .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance | |
2121
| .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance | |
2222
| .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance | |
23-
| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:49:14:54:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | |
24-
| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:56:9:62:6 | Uses Step | provenance | |
25-
| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | |
26-
| .github/workflows/test11.yml:56:9:62:6 | Uses Step | .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | |
23+
| .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | |
2724
| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | |
2825
| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:55:9:61:6 | Uses Step | provenance | |
2926
| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | provenance | |
@@ -69,10 +66,8 @@ nodes
6966
| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n |
7067
| .github/workflows/test10.yml:20:9:26:6 | Uses Step | semmle.label | Uses Step |
7168
| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | semmle.label | cat foo/.github/java-config.env >> $GITHUB_ENV |
72-
| .github/workflows/test11.yml:39:9:47:6 | Uses Step | semmle.label | Uses Step |
73-
| .github/workflows/test11.yml:49:14:54:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n |
74-
| .github/workflows/test11.yml:56:9:62:6 | Uses Step | semmle.label | Uses Step |
75-
| .github/workflows/test11.yml:64:14:69:29 | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'PRERELEASE_REPORT<<EOF'\n cat prerelease-report.md\n echo EOF\n} >> "$GITHUB_ENV"\n |
69+
| .github/workflows/test11.yml:15:9:21:6 | Uses Step | semmle.label | Uses Step |
70+
| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n |
7671
| .github/workflows/test12.yml:38:9:46:6 | Uses Step | semmle.label | Uses Step |
7772
| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'RUNTIME_VERSIONS<<EOF'\n cat runtime-versions.md\n echo EOF\n} >> "$GITHUB_ENV"\n |
7873
| .github/workflows/test12.yml:55:9:61:6 | Uses Step | semmle.label | Uses Step |

ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ jobs:
66
steps:
77
- name: Get PR number
88
id: pr_number
9-
if: ${{ github.event_name == 'issue_comment'}}
9+
if: github.event_name == 'issue_comment' && github.repository_owner == 'foo'
1010
run: |
1111
PR_URL="${{ github.event.issue.pull_request.url }}"
1212
PR_NUMBER=${PR_URL##*/}

ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_5.yml

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
on:
2+
pull_request_target
3+
4+
jobs:
5+
build:
6+
runs-on: ubuntu-latest
7+
if: github.repository_owner == 'foo'
8+
env:
9+
HEAD: ${{ github.event.pull_request.head.sha }}
10+
steps:
11+
- uses: actions/checkout@v2
12+
with:
13+
ref: ${{ github.event.pull_request.head.sha }}
14+
- uses: actions/checkout@v2
15+
with:
16+
ref: ${{ env.HEAD }}
17+
- name: Setup Node.js
18+
uses: actions/setup-node@v4
19+
with:
20+
node-version: 21
21+
- run: |
22+
npm install
23+
npm run lint

0 commit comments

Comments
 (0)