mirror of
https://github.com/github/codeql.git
synced 2026-05-05 13:45:19 +02:00
Bump qlpack versions
This commit is contained in:
Alvaro Muñoz
@@ -198,6 +198,8 @@ abstract class Job extends AstNode instanceof JobImpl {
|
||||
|
||||
If getIf() { result = super.getIf() }
|
||||
|
||||
Environment getEnvironment() { result = super.getEnvironment() }
|
||||
|
||||
Permissions getPermissions() { result = super.getPermissions() }
|
||||
|
||||
Event getATriggerEvent() { result = super.getATriggerEvent() }
|
||||
@@ -242,6 +244,15 @@ class If extends AstNode instanceof IfImpl {
|
||||
string getConditionStyle() { result = super.getConditionStyle() }
|
||||
}
|
||||
|
||||
/**
|
||||
* An Environemnt node representing a deployment environment.
|
||||
*/
|
||||
class Environment extends AstNode instanceof EnvironmentImpl {
|
||||
string getName() { result = super.getName() }
|
||||
|
||||
Expression getNameExpr() { result = super.getNameExpr() }
|
||||
}
|
||||
|
||||
abstract class Uses extends AstNode instanceof UsesImpl {
|
||||
string getCallee() { result = super.getCallee() }
|
||||
|
||||
|
||||
@@ -82,6 +82,7 @@ private newtype TAstNode =
|
||||
exists(YamlMapping m | m.lookup("steps").(YamlSequence).getElementNode(_) = n)
|
||||
} or
|
||||
TIfNode(YamlValue n) { exists(YamlMapping m | m.lookup("if") = n) } or
|
||||
TEnvironmentNode(YamlValue n) { exists(YamlMapping m | m.lookup("environment") = n) } or
|
||||
TEnvNode(YamlMapping n) { exists(YamlMapping m | m.lookup("env") = n) } or
|
||||
TScalarValueNode(YamlScalar n) {
|
||||
exists(YamlMapping m | m.maps(_, n) or m.lookup(_).(YamlSequence).getElementNode(_) = n)
|
||||
@@ -793,6 +794,9 @@ class JobImpl extends AstNodeImpl, TJobNode {
|
||||
/** Gets the condition that must be satisfied for this job to run. */
|
||||
IfImpl getIf() { result.getNode() = n.lookup("if") }
|
||||
|
||||
/** Gets the deployment environment to run the job on. */
|
||||
EnvironmentImpl getEnvironment() { result.getNode() = n.lookup("environment") }
|
||||
|
||||
/** Gets the permissions for this job. */
|
||||
PermissionsImpl getPermissions() { result.getNode() = n.lookup("permissions") }
|
||||
|
||||
@@ -976,6 +980,30 @@ class StepImpl extends AstNodeImpl, TStepNode {
|
||||
}
|
||||
}
|
||||
|
||||
class EnvironmentImpl extends AstNodeImpl, TEnvironmentNode {
|
||||
YamlValue n;
|
||||
|
||||
EnvironmentImpl() { this = TEnvironmentNode(n) }
|
||||
|
||||
override string toString() { result = n.toString() }
|
||||
|
||||
override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() }
|
||||
|
||||
override AstNodeImpl getParentNode() { result.getAChildNode() = this }
|
||||
|
||||
override string getAPrimaryQlClass() { result = "EnvironmentImpl" }
|
||||
|
||||
override Location getLocation() { result = n.getLocation() }
|
||||
|
||||
override YamlScalar getNode() { result = n }
|
||||
|
||||
/** Gets the environment name. */
|
||||
string getName() { result = n.(YamlScalar).getValue() }
|
||||
|
||||
/** Gets the environmen name. */
|
||||
ExpressionImpl getNameExpr() { result.getParentNode().getNode() = n }
|
||||
}
|
||||
|
||||
class IfImpl extends AstNodeImpl, TIfNode {
|
||||
YamlValue n;
|
||||
|
||||
|
||||
@@ -1,17 +1,49 @@
|
||||
import actions
|
||||
|
||||
/** An If node that contains an actor, user or label check */
|
||||
abstract class ControlCheck extends If {
|
||||
abstract class ControlCheck extends AstNode {
|
||||
ControlCheck() {
|
||||
this instanceof If or
|
||||
this instanceof Environment or
|
||||
this instanceof UsesStep
|
||||
}
|
||||
|
||||
predicate dominates(Step step) {
|
||||
step.getIf() = this or
|
||||
step.getEnclosingJob().getIf() = this or
|
||||
step.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or
|
||||
step.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this
|
||||
this instanceof If and
|
||||
(
|
||||
step.getIf() = this or
|
||||
step.getEnclosingJob().getIf() = this or
|
||||
step.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or
|
||||
step.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this
|
||||
)
|
||||
or
|
||||
this instanceof Environment and
|
||||
(
|
||||
step.getEnclosingJob().getEnvironment() = this
|
||||
or
|
||||
step.getEnclosingJob().getANeededJob().getEnvironment() = this
|
||||
)
|
||||
or
|
||||
this.(UsesStep).getAFollowingStep() = step
|
||||
}
|
||||
}
|
||||
|
||||
class LabelControlCheck extends ControlCheck {
|
||||
LabelControlCheck() {
|
||||
abstract class AssociationCheck extends ControlCheck { }
|
||||
|
||||
abstract class ActorCheck extends ControlCheck { }
|
||||
|
||||
abstract class RepositoryCheck extends ControlCheck { }
|
||||
|
||||
abstract class LabelCheck extends ControlCheck { }
|
||||
|
||||
abstract class PermissionCheck extends ControlCheck { }
|
||||
|
||||
class EnvironmentCheck extends ControlCheck instanceof Environment {
|
||||
EnvironmentCheck() { any() }
|
||||
}
|
||||
|
||||
class LabelIfCheck extends LabelCheck instanceof If {
|
||||
LabelIfCheck() {
|
||||
// eg: contains(github.event.pull_request.labels.*.name, 'safe to test')
|
||||
// eg: github.event.label.name == 'safe to test'
|
||||
exists(
|
||||
@@ -23,8 +55,8 @@ class LabelControlCheck extends ControlCheck {
|
||||
}
|
||||
}
|
||||
|
||||
class ActorControlCheck extends ControlCheck {
|
||||
ActorControlCheck() {
|
||||
class ActorIfCheck extends ActorCheck instanceof If {
|
||||
ActorIfCheck() {
|
||||
// eg: github.actor == 'dependabot[bot]'
|
||||
// eg: github.triggering_actor == 'CI Agent'
|
||||
// eg: github.event.pull_request.user.login == 'mybot'
|
||||
@@ -39,8 +71,8 @@ class ActorControlCheck extends ControlCheck {
|
||||
}
|
||||
}
|
||||
|
||||
class RepositoryControlCheck extends ControlCheck {
|
||||
RepositoryControlCheck() {
|
||||
class RepositoryIfCheck extends RepositoryCheck instanceof If {
|
||||
RepositoryIfCheck() {
|
||||
// eg: github.repository == 'test/foo'
|
||||
exists(
|
||||
normalizeExpr(this.getCondition())
|
||||
@@ -49,8 +81,8 @@ class RepositoryControlCheck extends ControlCheck {
|
||||
}
|
||||
}
|
||||
|
||||
class AssociationControlCheck extends ControlCheck {
|
||||
AssociationControlCheck() {
|
||||
class AssociationIfCheck extends AssociationCheck instanceof If {
|
||||
AssociationIfCheck() {
|
||||
// eg: contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association)
|
||||
exists(
|
||||
normalizeExpr(this.getCondition())
|
||||
@@ -63,3 +95,18 @@ class AssociationControlCheck extends ControlCheck {
|
||||
}
|
||||
}
|
||||
|
||||
class AssociationActionCheck extends AssociationCheck instanceof UsesStep {
|
||||
AssociationActionCheck() {
|
||||
this.getCallee() = "TheModdingInquisition/actions-team-membership" and
|
||||
not exists(this.getArgument("exit"))
|
||||
or
|
||||
this.getArgument("exit") = "true"
|
||||
}
|
||||
}
|
||||
|
||||
class PermissionActionCheck extends PermissionCheck instanceof UsesStep {
|
||||
PermissionActionCheck() {
|
||||
this.getCallee() = "lannonbr/repo-permission-check-action" and
|
||||
not this.getArgument("permission") = ["write", "admin"]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
library: true
|
||||
warnOnImplicitThis: true
|
||||
name: github/actions-all
|
||||
version: 0.1.9
|
||||
version: 0.1.10
|
||||
dependencies:
|
||||
codeql/util: ^1.0.1
|
||||
codeql/yaml: ^1.0.1
|
||||
|
||||
@@ -14,7 +14,7 @@
|
||||
import codeql.actions.security.UntrustedCheckoutQuery
|
||||
import codeql.actions.security.ControlChecks
|
||||
|
||||
from LocalJob job, LabelControlCheck check, MutableRefCheckoutStep checkout, Event event
|
||||
from LocalJob job, LabelCheck check, MutableRefCheckoutStep checkout, Event event
|
||||
where
|
||||
job = checkout.getEnclosingJob() and
|
||||
job.isPrivileged() and
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
/**
|
||||
* @name Untrusted Checkout TOCTOU
|
||||
* @description Untrusted Checkout is protected by a security check but the checked-out branch can be changed after the check.
|
||||
* @kind problem
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @precision high
|
||||
* @security-severity 9.3
|
||||
@@ -16,21 +16,43 @@ import codeql.actions.security.UntrustedCheckoutQuery
|
||||
import codeql.actions.security.PoisonableSteps
|
||||
import codeql.actions.security.ControlChecks
|
||||
|
||||
from ControlCheck check, MutableRefCheckoutStep checkout
|
||||
query predicate edges(Step a, Step b) { a.getAFollowingStep() = b }
|
||||
|
||||
from LocalJob j, MutableRefCheckoutStep checkout, PoisonableStep s, ControlCheck check
|
||||
where
|
||||
// the job can be triggered by an external user
|
||||
inPrivilegedExternallyTriggerableJob(check) and
|
||||
j = checkout.getEnclosingJob() and
|
||||
j.getAStep() = checkout and
|
||||
// the checkout is followed by a known poisonable step
|
||||
checkout.getAFollowingStep() = s and
|
||||
// the checkout occurs in a privileged context
|
||||
(
|
||||
inPrivilegedCompositeAction(checkout)
|
||||
or
|
||||
inPrivilegedExternallyTriggerableJob(checkout)
|
||||
) and
|
||||
// the mutable checkout step is protected by an access check
|
||||
check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and
|
||||
check.dominates(checkout) and
|
||||
// the checked-out code may lead to arbitrary code execution
|
||||
checkout.getAFollowingStep() instanceof PoisonableStep and
|
||||
(
|
||||
// label gates do not depend on the triggering event
|
||||
check instanceof LabelControlCheck
|
||||
// environment gates do not depend on the triggering event
|
||||
check instanceof EnvironmentCheck
|
||||
or
|
||||
// actor or association gates apply to IssueOps only
|
||||
(check instanceof AssociationControlCheck or check instanceof ActorControlCheck) and
|
||||
// label gates do not depend on the triggering event
|
||||
check instanceof LabelCheck
|
||||
or
|
||||
// actor or association gates are only bypassable for IssueOps
|
||||
// since an attacker can wait for a privileged user to comment on an issue
|
||||
// and then mutate the checked-out code.
|
||||
// however, when used for pull_request_target, the check is not bypassable since
|
||||
// the actor checked is the author of the PR
|
||||
(
|
||||
check instanceof AssociationCheck or
|
||||
check instanceof ActorCheck or
|
||||
check instanceof PermissionCheck
|
||||
) and
|
||||
check.getEnclosingJob().getATriggerEvent().getName().matches("%_comment")
|
||||
)
|
||||
select checkout, "The checked-out code can be changed after the authorization check o step $@.",
|
||||
select s, checkout, s,
|
||||
"Insufficient protection against execution of untrusted code on a privileged workflow on check $@.",
|
||||
check, check.toString()
|
||||
|
||||
@@ -16,21 +16,37 @@ import codeql.actions.security.UntrustedCheckoutQuery
|
||||
import codeql.actions.security.PoisonableSteps
|
||||
import codeql.actions.security.ControlChecks
|
||||
|
||||
from ControlCheck check, MutableRefCheckoutStep checkout
|
||||
from MutableRefCheckoutStep checkout, ControlCheck check
|
||||
where
|
||||
// the job can be triggered by an external user
|
||||
inPrivilegedExternallyTriggerableJob(check) and
|
||||
// the mutable checkout step is protected by an access check
|
||||
check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and
|
||||
// there are no evidences that the checked-out code can lead to arbitrary code execution
|
||||
not checkout.getAFollowingStep() instanceof PoisonableStep and
|
||||
// the checkout occurs in a privileged context
|
||||
(
|
||||
// label gates do not depend on the triggering event
|
||||
check instanceof LabelControlCheck
|
||||
inPrivilegedCompositeAction(checkout)
|
||||
or
|
||||
// actor or Association gates apply to IssueOps only
|
||||
(check instanceof AssociationControlCheck or check instanceof ActorControlCheck) and
|
||||
inPrivilegedExternallyTriggerableJob(checkout)
|
||||
) and
|
||||
// there are no evidences that the checked-out gets executed
|
||||
not checkout.getAFollowingStep() instanceof PoisonableStep and
|
||||
// the mutable checkout step is protected by an access check
|
||||
check.dominates(checkout) and
|
||||
(
|
||||
// environment gates do not depend on the triggering event
|
||||
check instanceof EnvironmentCheck
|
||||
or
|
||||
// label gates do not depend on the triggering event
|
||||
check instanceof LabelCheck
|
||||
or
|
||||
// actor or association gates are only bypassable for IssueOps
|
||||
// since an attacker can wait for a privileged user to comment on an issue
|
||||
// and then mutate the checked-out code.
|
||||
// however, when used for pull_request_target, the check is not bypassable since
|
||||
// the actor checked is the author of the PR
|
||||
(
|
||||
check instanceof AssociationCheck or
|
||||
check instanceof ActorCheck or
|
||||
check instanceof PermissionCheck
|
||||
) and
|
||||
check.getEnclosingJob().getATriggerEvent().getName().matches("%_comment")
|
||||
)
|
||||
select checkout, "The checked-out code can be changed after the authorization check o step $@.",
|
||||
select checkout,
|
||||
"Insufficient protection against execution of untrusted code on a privileged workflow on step $@.",
|
||||
check, check.toString()
|
||||
|
||||
@@ -26,12 +26,12 @@ where
|
||||
j.getAStep() = checkout and
|
||||
// the checkout is followed by a known poisonable step
|
||||
checkout.getAFollowingStep() = s and
|
||||
// the checkout is not controlled by an access check
|
||||
not exists(ControlCheck check | check.dominates(checkout)) and
|
||||
// the checkout occurs in a privileged context
|
||||
(
|
||||
inPrivilegedCompositeAction(checkout)
|
||||
or
|
||||
inPrivilegedExternallyTriggerableJob(checkout)
|
||||
)
|
||||
select s, checkout, s, "Potential unsafe checkout of untrusted code on a privileged workflow."
|
||||
) and
|
||||
// the checkout is not controlled by an access check
|
||||
not exists(ControlCheck check | check.dominates(checkout))
|
||||
select s, checkout, s, "Execution of untrusted code on a privileged workflow."
|
||||
|
||||
@@ -24,12 +24,12 @@ where
|
||||
j.getAStep() = checkout and
|
||||
// the checkout is NOT followed by a known poisonable step
|
||||
not checkout.getAFollowingStep() instanceof PoisonableStep and
|
||||
// the checkout is not controlled by an access check
|
||||
not exists(ControlCheck check | check.dominates(checkout)) and
|
||||
// the checkout occurs in a privileged context
|
||||
(
|
||||
inPrivilegedCompositeAction(checkout)
|
||||
or
|
||||
inPrivilegedExternallyTriggerableJob(checkout)
|
||||
)
|
||||
select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow."
|
||||
) and
|
||||
// the checkout is not controlled by an access check
|
||||
not exists(ControlCheck check | check.dominates(checkout))
|
||||
select checkout, "Potential execution of untrusted code on a privileged workflow."
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
library: false
|
||||
name: github/actions-queries
|
||||
version: 0.1.9
|
||||
version: 0.1.10
|
||||
groups: [actions, queries]
|
||||
suites: codeql-suites
|
||||
extractor: javascript
|
||||
|
||||
@@ -1,2 +1,25 @@
|
||||
| .github/workflows/comment.yml:37:9:41:6 | Uses Step | The checked-out code can be changed after the authorization check o step $@. | .github/workflows/comment.yml:10:9:10:188 | ${{ git ... s ') }} | ${{ git ... s ') }} |
|
||||
| .github/workflows/label.yml:13:9:17:6 | Uses Step | The checked-out code can be changed after the authorization check o step $@. | .github/workflows/label.yml:11:9:11:73 | contain ... -test') | contain ... -test') |
|
||||
edges
|
||||
| .github/workflows/actor.yml:17:9:20:6 | Uses Step | .github/workflows/actor.yml:20:9:21:16 | Run Step |
|
||||
| .github/workflows/comment.yml:15:9:30:6 | Uses Step: issue | .github/workflows/comment.yml:30:9:34:6 | Uses Step |
|
||||
| .github/workflows/comment.yml:15:9:30:6 | Uses Step: issue | .github/workflows/comment.yml:34:9:37:6 | Run Step |
|
||||
| .github/workflows/comment.yml:15:9:30:6 | Uses Step: issue | .github/workflows/comment.yml:37:9:41:6 | Uses Step |
|
||||
| .github/workflows/comment.yml:15:9:30:6 | Uses Step: issue | .github/workflows/comment.yml:41:9:41:43 | Run Step |
|
||||
| .github/workflows/comment.yml:30:9:34:6 | Uses Step | .github/workflows/comment.yml:34:9:37:6 | Run Step |
|
||||
| .github/workflows/comment.yml:30:9:34:6 | Uses Step | .github/workflows/comment.yml:37:9:41:6 | Uses Step |
|
||||
| .github/workflows/comment.yml:30:9:34:6 | Uses Step | .github/workflows/comment.yml:41:9:41:43 | Run Step |
|
||||
| .github/workflows/comment.yml:34:9:37:6 | Run Step | .github/workflows/comment.yml:37:9:41:6 | Uses Step |
|
||||
| .github/workflows/comment.yml:34:9:37:6 | Run Step | .github/workflows/comment.yml:41:9:41:43 | Run Step |
|
||||
| .github/workflows/comment.yml:37:9:41:6 | Uses Step | .github/workflows/comment.yml:41:9:41:43 | Run Step |
|
||||
| .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:22:10:27:7 | Uses Step |
|
||||
| .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:27:10:30:7 | Run Step |
|
||||
| .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:30:10:31:53 | Run Step |
|
||||
| .github/workflows/deployment.yml:22:10:27:7 | Uses Step | .github/workflows/deployment.yml:27:10:30:7 | Run Step |
|
||||
| .github/workflows/deployment.yml:22:10:27:7 | Uses Step | .github/workflows/deployment.yml:30:10:31:53 | Run Step |
|
||||
| .github/workflows/deployment.yml:27:10:30:7 | Run Step | .github/workflows/deployment.yml:30:10:31:53 | Run Step |
|
||||
| .github/workflows/label.yml:13:9:17:6 | Uses Step | .github/workflows/label.yml:17:9:17:41 | Run Step |
|
||||
| .github/workflows/label_actor.yml:13:9:17:6 | Uses Step | .github/workflows/label_actor.yml:17:9:17:41 | Run Step |
|
||||
#select
|
||||
| .github/workflows/comment.yml:41:9:41:43 | Run Step | .github/workflows/comment.yml:37:9:41:6 | Uses Step | .github/workflows/comment.yml:41:9:41:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow on check $@. | .github/workflows/comment.yml:10:9:10:188 | ${{ git ... s ') }} | ${{ git ... s ') }} |
|
||||
| .github/workflows/deployment.yml:27:10:30:7 | Run Step | .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:27:10:30:7 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow on check $@. | .github/workflows/deployment.yml:13:19:13:27 | Public CI | Public CI |
|
||||
| .github/workflows/deployment.yml:30:10:31:53 | Run Step | .github/workflows/deployment.yml:16:10:22:7 | Uses Step | .github/workflows/deployment.yml:30:10:31:53 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow on check $@. | .github/workflows/deployment.yml:13:19:13:27 | Public CI | Public CI |
|
||||
| .github/workflows/label.yml:17:9:17:41 | Run Step | .github/workflows/label.yml:13:9:17:6 | Uses Step | .github/workflows/label.yml:17:9:17:41 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow on check $@. | .github/workflows/label.yml:11:9:11:73 | contain ... -test') | contain ... -test') |
|
||||
|
||||
@@ -312,15 +312,15 @@ edges
|
||||
| .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step |
|
||||
| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step |
|
||||
#select
|
||||
| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/mend.yml:29:9:33:28 | Uses Step | .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Potential unsafe checkout of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Potential unsafe checkout of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/mend.yml:29:9:33:28 | Uses Step | .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. |
|
||||
|
||||
@@ -1,21 +1,20 @@
|
||||
| .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
|
||||
| .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
|
||||
| .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
|
||||
| .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
|
||||
| .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
|
||||
| .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
|
||||
| .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
|
||||
| .github/workflows/issue_comment_direct.yml:35:9:40:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
|
||||
| .github/workflows/issue_comment_direct.yml:43:9:46:126 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
|
||||
| .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
|
||||
| .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
|
||||
| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
|
||||
| .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
|
||||
| .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
|
||||
| .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
|
||||
| .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
|
||||
| .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
|
||||
| .github/workflows/test2.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
|
||||
| .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
|
||||
| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
|
||||
| .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
|
||||
| .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | Potential execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/issue_comment_direct.yml:35:9:40:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/issue_comment_direct.yml:43:9:46:126 | Uses Step | Potential execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | Potential execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. |
|
||||
| .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow. |
|
||||
|
||||
Reference in New Issue
Block a user