From 12e78ac4fe4162920e0418129f90a5b2fc8a35ba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= <pwntester@github.com>
Date: Tue, 23 Jul 2024 23:37:04 +0200
Subject: [PATCH] fix(regex): update pattern to match both gh and hub commands

---
 ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
index be0229a77c4..fba33bb8bc8 100644
--- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
+++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
@@ -242,7 +242,7 @@ class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run {
   GhMutableRefCheckout() {
     exists(string line |
       this.getScript().splitAt("\n") = line and
-      line.regexpMatch(".*gh\\s+pr\\s+checkout.*") and
+      line.regexpMatch(".*(gh|hub)\\s+pr\\s+checkout.*") and
       (
         (containsHeadRef(line) or containsPullRequestNumber(line))
         or