hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-28 22:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Centralize isPrivileged decisions

Browse Source
This commit is contained in:
Alvaro Muñoz
2024-04-03 15:39:00 +02:00
parent 119c7b8158
commit 2988bc8885
13 changed files with 75 additions and 155 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
ql/lib/codeql/actions/Ast.qll
View File

@@ -35,6 +35,8 @@ class AstNode instanceof AstNodeImpl {
Workflow getEnclosingWorkflow() { result = super.getEnclosingWorkflow() }
CompositeAction getEnclosingCompositeAction() { result = super.getEnclosingCompositeAction() }
Expression getInScopeEnvVarExpr(string name) { result = super.getInScopeEnvVarExpr(name) }
}
@@ -123,6 +125,25 @@ class Workflow extends AstNode instanceof WorkflowImpl {
Permissions getPermissions() { result = super.getPermissions() }
Strategy getStrategy() { result = super.getStrategy() }
predicate hasSingleTrigger(string trigger) {
this.getATriggerEvent() = trigger and
count(string t | this.getATriggerEvent() = t | t) = 1
}
predicate isPrivileged() {
// The Workflow is triggered by an event other than `pull_request`
not this.hasSingleTrigger("pull_request")
or
// The Workflow is only triggered by `workflow_call` and there is
// a caller workflow triggered by an event other than `pull_request`
this.hasSingleTrigger("workflow_call") and
exists(ExternalJob call, Workflow caller |
call.getCallee() = this.getLocation().getFile().getRelativePath() and
caller = call.getWorkflow() and
not caller.hasSingleTrigger("pull_request")
)
}
}
class ReusableWorkflow extends Workflow instanceof ReusableWorkflowImpl {

7
ql/lib/codeql/actions/ast/internal/Ast.qll
View File

@@ -95,10 +95,15 @@ abstract class AstNodeImpl extends TAstNode {
JobImpl getEnclosingJob() { result.getAChildNode*() = this.getParentNode() }
/**
* Gets the enclosing workflow statement.
* Gets the enclosing workflow if any.
*/
WorkflowImpl getEnclosingWorkflow() { this = result.getAChildNode*() }
/**
* Gets the enclosing composite action if any.
*/
CompositeActionImpl getEnclosingCompositeAction() { this = result.getAChildNode*() }
/**
* Gets a environment variable expression by name in the scope of the current node.
*/

11
ql/src/Security/CWE-077/EnvVarInjection.ql
View File

@@ -17,7 +17,16 @@ import codeql.actions.security.EnvVarInjectionQuery
import EnvVarInjectionFlow::PathGraph
from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink
where EnvVarInjectionFlow::flowPath(source, sink)
where
EnvVarInjectionFlow::flowPath(source, sink) and
(
exists(source.getNode().asExpr().getEnclosingCompositeAction())
or
exists(Workflow w |
w = source.getNode().asExpr().getEnclosingWorkflow() and
not w.isPrivileged()
)
)
select sink.getNode(), source, sink,
"Potential environment variable injection in $@, which may be controlled by an external user.",
sink, sink.getNode().asExpr().(Expression).getRawExpression()

13
ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql
View File

@@ -16,16 +16,13 @@ import actions
import codeql.actions.security.EnvVarInjectionQuery
import EnvVarInjectionFlow::PathGraph
predicate isSingleTriggerWorkflow(Workflow w, string trigger) {
w.getATriggerEvent() = trigger and
count(string t | w.getATriggerEvent() = t | t) = 1
}
from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink, Workflow w
from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink
where
EnvVarInjectionFlow::flowPath(source, sink) and
w = source.getNode().asExpr().getEnclosingWorkflow() and
not isSingleTriggerWorkflow(w, "pull_request")
exists(Workflow w |
w = source.getNode().asExpr().getEnclosingWorkflow() and
w.isPrivileged()
)
select sink.getNode(), source, sink,
"Potential privileged environment variable injection in $@, which may be controlled by an external user.",
sink, sink.getNode().asExpr().(Expression).getRawExpression()

11
ql/src/Security/CWE-078/CommandInjection.ql
View File

@@ -17,7 +17,16 @@ import codeql.actions.security.CommandInjectionQuery
import CommandInjectionFlow::PathGraph
from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink
where CommandInjectionFlow::flowPath(source, sink)
where
CommandInjectionFlow::flowPath(source, sink) and
(
exists(source.getNode().asExpr().getEnclosingCompositeAction())
or
exists(Workflow w |
w = source.getNode().asExpr().getEnclosingWorkflow() and
not w.isPrivileged()
)
)
select sink.getNode(), source, sink,
"Potential command injection in $@, which may be controlled by an external user.", sink,
sink.getNode().asExpr().(Expression).getRawExpression()

13
ql/src/Security/CWE-078/PrivilegedCommandInjection.ql
View File

@@ -16,16 +16,13 @@ import actions
import codeql.actions.security.CommandInjectionQuery
import CommandInjectionFlow::PathGraph
predicate isSingleTriggerWorkflow(Workflow w, string trigger) {
w.getATriggerEvent() = trigger and
count(string t | w.getATriggerEvent() = t | t) = 1
}
from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink, Workflow w
from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink
where
CommandInjectionFlow::flowPath(source, sink) and
w = source.getNode().asExpr().getEnclosingWorkflow() and
not isSingleTriggerWorkflow(w, "pull_request")
exists(Workflow w |
w = source.getNode().asExpr().getEnclosingWorkflow() and
w.isPrivileged()
)
select sink.getNode(), source, sink,
"Potential privileged command injection in $@, which may be controlled by an external user.",
sink, sink.getNode().asExpr().(Expression).getRawExpression()

11
ql/src/Security/CWE-094/CodeInjection.ql
View File

@@ -19,7 +19,16 @@ import codeql.actions.security.CodeInjectionQuery
import CodeInjectionFlow::PathGraph
from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
where CodeInjectionFlow::flowPath(source, sink)
where
CodeInjectionFlow::flowPath(source, sink) and
(
exists(source.getNode().asExpr().getEnclosingCompositeAction())
or
exists(Workflow w |
w = source.getNode().asExpr().getEnclosingWorkflow() and
not w.isPrivileged()
)
)
select sink.getNode(), source, sink,
"Potential code injection in $@, which may be controlled by an external user.", sink,
sink.getNode().asExpr().(Expression).getRawExpression()

13
ql/src/Security/CWE-094/PrivilegedCodeInjection.ql
View File

@@ -18,16 +18,13 @@ import actions
import codeql.actions.security.CodeInjectionQuery
import CodeInjectionFlow::PathGraph
predicate isSingleTriggerWorkflow(Workflow w, string trigger) {
w.getATriggerEvent() = trigger and
count(string t | w.getATriggerEvent() = t | t) = 1
}
from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Workflow w
from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
where
CodeInjectionFlow::flowPath(source, sink) and
w = source.getNode().asExpr().getEnclosingWorkflow() and
not isSingleTriggerWorkflow(w, "pull_request")
exists(Workflow w |
w = source.getNode().asExpr().getEnclosingWorkflow() and
w.isPrivileged()
)
select sink.getNode(), source, sink,
"Potential privileged code injection in $@, which may be controlled by an external user.", sink,
sink.getNode().asExpr().(Expression).getRawExpression()

22
ql/src/Security/CWE-829/ArtifactPoisoning.ql
View File

@@ -14,27 +14,9 @@
import actions
import codeql.actions.security.ArtifactPoisoningQuery
predicate isSingleTriggerWorkflow(Workflow w, string trigger) {
w.getATriggerEvent() = trigger and
count(string t | w.getATriggerEvent() = t | t) = 1
}
from Workflow w, LocalJob job, ArtifactDownloadStep download, Step run
from LocalJob job, ArtifactDownloadStep download, Step run
where
w = job.getWorkflow() and
(
// The Workflow is triggered by an event other than `pull_request`
not isSingleTriggerWorkflow(w, "pull_request")
or
// The Workflow is only triggered by `workflow_call` and there is
// a caller workflow triggered by an event other than `pull_request`
isSingleTriggerWorkflow(w, "workflow_call") and
exists(ExternalJob call, Workflow caller |
call.getCallee() = w.getLocation().getFile().getRelativePath() and
caller = call.getWorkflow() and
not isSingleTriggerWorkflow(caller, "pull_request")
)
) and
job.getWorkflow().isPrivileged() and
(run instanceof Run or run instanceof UsesStep) and
exists(int i, int j |
job.getStep(i) = download and

19
ql/src/Security/CWE-829/UntrustedCheckout.ql
View File

@@ -121,26 +121,9 @@ class GitCheckout extends PRHeadCheckoutStep instanceof Run {
}
}
predicate isSingleTriggerWorkflow(Workflow w, string trigger) {
w.getATriggerEvent() = trigger and
count(string t | w.getATriggerEvent() = t | t) = 1
}
from Workflow w, PRHeadCheckoutStep checkout
where
(
// The Workflow is triggered by an event other than `pull_request`
not isSingleTriggerWorkflow(w, "pull_request")
or
// The Workflow is only triggered by `workflow_call` and there is
// a caller workflow triggered by an event other than `pull_request`
isSingleTriggerWorkflow(w, "workflow_call") and
exists(ExternalJob call, Workflow caller |
call.getCallee() = w.getLocation().getFile().getRelativePath() and
caller = call.getWorkflow() and
not isSingleTriggerWorkflow(caller, "pull_request")
)
) and
w.isPrivileged() and
w.getAJob().(LocalJob).getAStep() = checkout and
not exists(ControlCheck check |
checkout.getIf() = check or checkout.getEnclosingJob().getIf() = check

1
ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected
View File

@@ -3,4 +3,3 @@ nodes
| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
subpaths
#select
| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} |

1
ql/test/query-tests/Security/CWE-078/CommandInjection.expected
View File

@@ -3,4 +3,3 @@ nodes
| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body |
subpaths
#select
| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} |

87
ql/test/query-tests/Security/CWE-094/CodeInjection.expected
View File

@@ -209,92 +209,5 @@ nodes
| action1/action.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body |
subpaths
#select
| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} |
| .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | ${{ steps.changed-files.outputs.all_changed_files }} |
| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} |
| .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | ${{ env.log }} |
| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} |
| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} |
| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} |
| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} |
| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} |
| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} |
| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} |
| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} |
| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} |
| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} |
| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | ${{ env.ISSUE_BODY_PARSED }} |
| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | ${{env.pr_message}} |
| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} |
| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} |
| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} |
| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} |
| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} |
| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | ${{ github.event.pages[1].title }} |
| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | ${{ github.event.pages[11].title }} |
| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | ${{ github.event.pages[0].page_name }} |
| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | ${{ github.event.pages[2222].page_name }} |
| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} |
| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} |
| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} |
| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} |
| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} |
| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} |
| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} |
| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} |
| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} |
| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} |
| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} |
| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} |
| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} |
| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} |
| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} |
| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} |
| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} |
| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} |
| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} |
| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} |
| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} |
| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} |
| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} |
| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} |
| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} |
| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} |
| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} |
| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} |
| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | ${{ github.event.issue.title }} |
| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | ${{ github.event.issue.body }} |
| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} |
| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} |
| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} |
| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} |
| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} |
| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} |
| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} |
| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} |
| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} |
| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} |
| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} |
| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} |
| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} |
| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} |
| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} |
| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} |
| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} |
| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} |
| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} |
| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} |
| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} |
| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} |
| .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} |
| .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} |
| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} |
| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} |
| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} |
| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} |
| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} |
| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} |
| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} |
| action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | action1/action.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} |