Model get-workflow-origin action

2026-01-07 03:30:24 +01:00 · 2024-07-08 12:59:36 +02:00
parent 20ce5d5344
commit 1657af60df
2 changed files with 24 additions and 8 deletions
--- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
+++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
@@ -99,9 +99,13 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt
              "alessbell/pull-request-comment-branch", "gotson/pull-request-comment-branch"
            ] and
          // TODO: This should be read step of the head_sha or head_ref output vars
-          this.getArgument("ref").matches("%.head_ref%")
+          this.getArgument("ref").regexpMatch(".*(head_ref).*")
          or
-          step.getCallee() = ["github/branch-deploy"] and
+          step.getCallee() = "potiuk/get-workflow-origin" and
+          // TODO: This should be read step of the ref output var
+          this.getArgument("ref").matches("%." + ["sourceHeadBranch", "pullRequestNumber"])
+          or
+          step.getCallee() = "github/branch-deploy" and
          // TODO: This should be read step of the ref output var
          this.getArgument("ref").matches("%.ref%")
        ) and
@@ -149,12 +153,18 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep {
      or
      // 3rd party actions returning the PR head sha/ref
      exists(UsesStep step |
-        step.getCallee() =
-          [
-            "eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch",
-            "alessbell/pull-request-comment-branch", "gotson/pull-request-comment-branch"
-          ] and
-        this.getArgument("ref").regexpMatch(".*head_sha.*") and
+        (
+          step.getCallee() =
+            [
+              "eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch",
+              "alessbell/pull-request-comment-branch", "gotson/pull-request-comment-branch"
+            ] and
+          this.getArgument("ref").regexpMatch(".*(head_sha).*")
+          or
+          step.getCallee() = "potiuk/get-workflow-origin" and
+          // TODO: This should be read step of the ref output var
+          this.getArgument("ref").matches("%." + ["sourceHeadSha", "mergeCommitSha"])
+        ) and
        DataFlow::hasLocalFlowExpr(step, this.getArgumentExpr("ref"))
      )
      or
--- a/ql/lib/ext/manual/potiuk_get-workflow-origin.model.yml
+++ b/ql/lib/ext/manual/potiuk_get-workflow-origin.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: github/actions-all
+      extensible: actionsSourceModel
+    data:
+      - ["potiuk/get-workflow-origin", "*", "output.sourceHeadBranch", "branch", "manual"]