From 6cb15f06bceaa9c6304743f5e4c6a49015f82c00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 15 Mar 2024 13:54:21 +0100 Subject: [PATCH 1/2] fix(fn): Apply json wrappers to source regexps --- ql/lib/codeql/actions/Ast.qll | 5 ++ ql/lib/codeql/actions/ast/internal/Ast.qll | 18 +++--- .../codeql/actions/dataflow/FlowSources.qll | 18 +++--- .../CWE-094/.github/workflows/json_wrap.yml | 59 +++++++++++++++++++ .../Security/CWE-094/CodeInjection.expected | 4 ++ .../CWE-094/PrivilegedCodeInjection.expected | 4 ++ 6 files changed, 89 insertions(+), 19 deletions(-) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 4a7ff12b4f9..91612c5836b 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -9,6 +9,11 @@ module Utils { .regexpReplaceAll("\\[\"([a-zA-Z0-9_\\*\\-]+)\"\\]", ".$1") .regexpReplaceAll("\\s*\\.\\s*", ".") } + + bindingset[regex] + string wrapRegexp(string regex) { + result = ["\\b" + regex + "\\b", "fromJSON\\(" + regex + "\\)", "toJSON\\(" + regex + "\\)"] + } } class AstNode instanceof AstNodeImpl { diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index f45565caed7..3fa1769e762 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -813,28 +813,24 @@ abstract class SimpleReferenceExpressionImpl extends ExpressionImpl { } private string stepsCtxRegex() { - result = wrapRegexp("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") + result = Utils::wrapRegexp("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") } private string needsCtxRegex() { - result = wrapRegexp("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") + result = Utils::wrapRegexp("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") } private string jobsCtxRegex() { - result = wrapRegexp("jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") + result = Utils::wrapRegexp("jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)") } -private string envCtxRegex() { result = wrapRegexp("env\\.([A-Za-z0-9_-]+)") } +private string envCtxRegex() { result = Utils::wrapRegexp("env\\.([A-Za-z0-9_-]+)") } -private string matrixCtxRegex() { result = wrapRegexp("matrix\\.([A-Za-z0-9_-]+)") } +private string matrixCtxRegex() { result = Utils::wrapRegexp("matrix\\.([A-Za-z0-9_-]+)") } private string inputsCtxRegex() { - result = wrapRegexp(["inputs\\.([A-Za-z0-9_-]+)", "github\\.event\\.inputs\\.([A-Za-z0-9_-]+)"]) -} - -bindingset[regex] -private string wrapRegexp(string regex) { - result = ["\\b" + regex + "\\b", "fromJSON\\(" + regex + "\\)", "toJSON\\(" + regex + "\\)"] + result = + Utils::wrapRegexp(["inputs\\.([A-Za-z0-9_-]+)", "github\\.event\\.inputs\\.([A-Za-z0-9_-]+)"]) } /** diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index a586cab4a32..ca1d2163786 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -28,7 +28,7 @@ private predicate isExternalUserControlledIssue(string context) { exists(string reg | reg = ["\\bgithub\\.event\\.issue\\.title\\b", "\\bgithub\\.event\\.issue\\.body\\b"] | - Utils::normalizeExpr(context).regexpMatch(reg) + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } @@ -45,18 +45,20 @@ private predicate isExternalUserControlledPullRequest(string context) { "\\bgithub\\.event\\.pull_request\\.head\\.ref\\b", "\\bgithub\\.head_ref\\b" ] | - Utils::normalizeExpr(context).regexpMatch(reg) + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } bindingset[context] private predicate isExternalUserControlledReview(string context) { - Utils::normalizeExpr(context).regexpMatch("\\bgithub\\.event\\.review\\.body\\b") + Utils::normalizeExpr(context) + .regexpMatch(Utils::wrapRegexp("\\bgithub\\.event\\.review\\.body\\b")) } bindingset[context] private predicate isExternalUserControlledComment(string context) { - Utils::normalizeExpr(context).regexpMatch("\\bgithub\\.event\\.comment\\.body\\b") + Utils::normalizeExpr(context) + .regexpMatch(Utils::wrapRegexp("\\bgithub\\.event\\.comment\\.body\\b")) } bindingset[context] @@ -68,7 +70,7 @@ private predicate isExternalUserControlledGollum(string context) { "\\bgithub\\.event\\.pages\\[[0-9]+\\]\\.title\\b" ] | - Utils::normalizeExpr(context).regexpMatch(reg) + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } @@ -89,7 +91,7 @@ private predicate isExternalUserControlledCommit(string context) { "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name\\b", ] | - Utils::normalizeExpr(context).regexpMatch(reg) + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } @@ -98,7 +100,7 @@ private predicate isExternalUserControlledDiscussion(string context) { exists(string reg | reg = ["\\bgithub\\.event\\.discussion\\.title\\b", "\\bgithub\\.event\\.discussion\\.body\\b"] | - Utils::normalizeExpr(context).regexpMatch(reg) + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } @@ -118,7 +120,7 @@ private predicate isExternalUserControlledWorkflowRun(string context) { "\\bgithub\\.event\\.workflow_run\\.head_commit\\.committer\\.name\\b", ] | - Utils::normalizeExpr(context).regexpMatch(reg) + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml new file mode 100644 index 00000000000..b17a1fecbeb --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml @@ -0,0 +1,59 @@ +name: Issue Comment Created + +on: + issue_comment: + types: + - created + +jobs: + jira: + runs-on: ubuntu-latest + if: ${{ github.event.comment.body == '/jira ticket' }} + steps: + - run: echo ${{ github.event.comment.body }} + + - name: Login + uses: atlassian/gajira-login@v3 + env: + JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }} + JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }} + JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }} + + - name: SearchParam + run: echo 'summary ~ ${{ toJSON(github.event.issue.title)}} AND project=${{ secrets.JIRA_PROJECT }}' + + - name: Search + id: search + uses: tomhjp/gh-action-jira-search@v0.2.1 + with: + jql: 'summary ~ ${{ toJSON(github.event.issue.title)}} AND project=${{ secrets.JIRA_PROJECT }}' + + - name: Log + run: echo "Found issue ${{ steps.search.outputs.issue }}" + + - name: Create + id: create + if: steps.search.outputs.issue == '' + uses: atlassian/gajira-create@v3 + with: + project: ${{ secrets.JIRA_PROJECT }} + issuetype: Task + summary: '${{ github.event.repository.name }}: ${{ github.event.issue.title }}' + description: | + *Issue Link:* ${{ github.event.issue.html_url }} + + ${{ github.event.issue.body }} + fields: '{"customfield_10006": ${{ toJSON(secrets.JIRA_EPIC_TICKET) }}, "customfield_17401":{"value":${{ toJSON( secrets.JIRA_LAYER_CAKE )}}}}' + + - name: Add Comment + if: steps.search.outputs.issue == '' && steps.create.outputs.issue != '' + uses: actions/github-script@v6 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: '👋 Thanks, Jira [${{steps.create.outputs.issue}}] ticket created.' + }) diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index 23e50256756..14b0c535ac6 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -131,6 +131,8 @@ nodes | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | semmle.label | env.job_env | | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | semmle.label | env.step_env | | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | semmle.label | toJSON(github.event.issue.title) | | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | @@ -234,6 +236,8 @@ subpaths | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | +| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index 9101c80a595..bdb5ae3ea55 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -131,6 +131,8 @@ nodes | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | semmle.label | env.job_env | | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | semmle.label | env.step_env | | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | semmle.label | github.event.comment.body | +| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | semmle.label | toJSON(github.event.issue.title) | | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | @@ -229,6 +231,8 @@ subpaths | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | +| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | +| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | From d9e589c6e7d913c2e3a987c0f2a30676a47df15b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 15 Mar 2024 13:58:46 +0100 Subject: [PATCH 2/2] Remove unnecessary boundary anchors --- ql/lib/codeql/actions/Ast.qll | 6 +- .../codeql/actions/dataflow/FlowSources.qll | 64 +++++++++---------- 2 files changed, 34 insertions(+), 36 deletions(-) diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 91612c5836b..ecc0ad16f5f 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -12,7 +12,11 @@ module Utils { bindingset[regex] string wrapRegexp(string regex) { - result = ["\\b" + regex + "\\b", "fromJSON\\(" + regex + "\\)", "toJSON\\(" + regex + "\\)"] + result = + [ + "\\b" + regex + "\\b", "fromJSON\\(\\s*" + regex + "\\s*\\)", + "toJSON\\(\\s*" + regex + "\\s*\\)" + ] } } diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index ca1d2163786..007ace43bd0 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -25,9 +25,7 @@ abstract class RemoteFlowSource extends SourceNode { bindingset[context] private predicate isExternalUserControlledIssue(string context) { - exists(string reg | - reg = ["\\bgithub\\.event\\.issue\\.title\\b", "\\bgithub\\.event\\.issue\\.body\\b"] - | + exists(string reg | reg = ["github\\.event\\.issue\\.title", "github\\.event\\.issue\\.body"] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } @@ -37,12 +35,12 @@ private predicate isExternalUserControlledPullRequest(string context) { exists(string reg | reg = [ - "\\bgithub\\.event\\.pull_request\\.title\\b", "\\bgithub\\.event\\.pull_request\\.body\\b", - "\\bgithub\\.event\\.pull_request\\.head\\.label\\b", - "\\bgithub\\.event\\.pull_request\\.head\\.repo\\.default_branch\\b", - "\\bgithub\\.event\\.pull_request\\.head\\.repo\\.description\\b", - "\\bgithub\\.event\\.pull_request\\.head\\.repo\\.homepage\\b", - "\\bgithub\\.event\\.pull_request\\.head\\.ref\\b", "\\bgithub\\.head_ref\\b" + "github\\.event\\.pull_request\\.title", "github\\.event\\.pull_request\\.body", + "github\\.event\\.pull_request\\.head\\.label", + "github\\.event\\.pull_request\\.head\\.repo\\.default_branch", + "github\\.event\\.pull_request\\.head\\.repo\\.description", + "github\\.event\\.pull_request\\.head\\.repo\\.homepage", + "github\\.event\\.pull_request\\.head\\.ref", "github\\.head_ref" ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) @@ -51,14 +49,12 @@ private predicate isExternalUserControlledPullRequest(string context) { bindingset[context] private predicate isExternalUserControlledReview(string context) { - Utils::normalizeExpr(context) - .regexpMatch(Utils::wrapRegexp("\\bgithub\\.event\\.review\\.body\\b")) + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp("github\\.event\\.review\\.body")) } bindingset[context] private predicate isExternalUserControlledComment(string context) { - Utils::normalizeExpr(context) - .regexpMatch(Utils::wrapRegexp("\\bgithub\\.event\\.comment\\.body\\b")) + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp("github\\.event\\.comment\\.body")) } bindingset[context] @@ -66,8 +62,8 @@ private predicate isExternalUserControlledGollum(string context) { exists(string reg | reg = [ - "\\bgithub\\.event\\.pages\\[[0-9]+\\]\\.page_name\\b", - "\\bgithub\\.event\\.pages\\[[0-9]+\\]\\.title\\b" + "github\\.event\\.pages\\[[0-9]+\\]\\.page_name", + "github\\.event\\.pages\\[[0-9]+\\]\\.title" ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) @@ -79,16 +75,15 @@ private predicate isExternalUserControlledCommit(string context) { exists(string reg | reg = [ - "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.message\\b", - "\\bgithub\\.event\\.head_commit\\.message\\b", - "\\bgithub\\.event\\.head_commit\\.author\\.email\\b", - "\\bgithub\\.event\\.head_commit\\.author\\.name\\b", - "\\bgithub\\.event\\.head_commit\\.committer\\.email\\b", - "\\bgithub\\.event\\.head_commit\\.committer\\.name\\b", - "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.author\\.email\\b", - "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.author\\.name\\b", - "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email\\b", - "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name\\b", + "github\\.event\\.commits\\[[0-9]+\\]\\.message", "github\\.event\\.head_commit\\.message", + "github\\.event\\.head_commit\\.author\\.email", + "github\\.event\\.head_commit\\.author\\.name", + "github\\.event\\.head_commit\\.committer\\.email", + "github\\.event\\.head_commit\\.committer\\.name", + "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.email", + "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.name", + "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email", + "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name", ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) @@ -98,7 +93,7 @@ private predicate isExternalUserControlledCommit(string context) { bindingset[context] private predicate isExternalUserControlledDiscussion(string context) { exists(string reg | - reg = ["\\bgithub\\.event\\.discussion\\.title\\b", "\\bgithub\\.event\\.discussion\\.body\\b"] + reg = ["github\\.event\\.discussion\\.title", "github\\.event\\.discussion\\.body"] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) @@ -109,15 +104,14 @@ private predicate isExternalUserControlledWorkflowRun(string context) { exists(string reg | reg = [ - "\\bgithub\\.event\\.workflow\\.path\\b", - "\\bgithub\\.event\\.workflow_run\\.head_branch\\b", - "\\bgithub\\.event\\.workflow_run\\.display_title\\b", - "\\bgithub\\.event\\.workflow_run\\.head_repository\\.description\\b", - "\\bgithub\\.event\\.workflow_run\\.head_commit\\.message\\b", - "\\bgithub\\.event\\.workflow_run\\.head_commit\\.author\\.email\\b", - "\\bgithub\\.event\\.workflow_run\\.head_commit\\.author\\.name\\b", - "\\bgithub\\.event\\.workflow_run\\.head_commit\\.committer\\.email\\b", - "\\bgithub\\.event\\.workflow_run\\.head_commit\\.committer\\.name\\b", + "github\\.event\\.workflow\\.path", "github\\.event\\.workflow_run\\.head_branch", + "github\\.event\\.workflow_run\\.display_title", + "github\\.event\\.workflow_run\\.head_repository\\.description", + "github\\.event\\.workflow_run\\.head_commit\\.message", + "github\\.event\\.workflow_run\\.head_commit\\.author\\.email", + "github\\.event\\.workflow_run\\.head_commit\\.author\\.name", + "github\\.event\\.workflow_run\\.head_commit\\.committer\\.email", + "github\\.event\\.workflow_run\\.head_commit\\.committer\\.name", ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))