From 39b6cf94688e54bce7a7c6944dda1e955cda131e Mon Sep 17 00:00:00 2001 From: Kristen Newbury Date: Mon, 4 May 2026 16:47:44 -0400 Subject: [PATCH] Address review comments --- .../2026-04-15-poisonable-steps-additions-alterations.md | 2 +- .../2026-04-15-untrusted-checkout-improvements-helpfile.md | 4 ++++ .../2026-04-15-untrusted-checkout-improvements-metadata.md | 4 ++++ .../2026-04-15-untrusted-checkout-improvements.md | 4 +--- 4 files changed, 10 insertions(+), 4 deletions(-) create mode 100644 actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-helpfile.md create mode 100644 actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-metadata.md diff --git a/actions/ql/lib/change-notes/2026-04-15-poisonable-steps-additions-alterations.md b/actions/ql/lib/change-notes/2026-04-15-poisonable-steps-additions-alterations.md index 1d6a8a49a2c..4a28280a3c8 100644 --- a/actions/ql/lib/change-notes/2026-04-15-poisonable-steps-additions-alterations.md +++ b/actions/ql/lib/change-notes/2026-04-15-poisonable-steps-additions-alterations.md @@ -1,4 +1,4 @@ --- category: minorAnalysis --- -* Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by any queries that use that library. \ No newline at end of file +* Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by the following queries: `actions/untrusted-checkout/high`, `actions/untrusted-checkout/critical`, `actions/untrusted-checkout-toctou/high`, `actions/untrusted-checkout-toctou/critical`, `actions/cache-poisoning/poisonable-step`, `actions/cache-poisoning/direct-cache` and `actions/artifact-poisoning/path-traversal`. \ No newline at end of file diff --git a/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-helpfile.md b/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-helpfile.md new file mode 100644 index 00000000000..2555bc03d3d --- /dev/null +++ b/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-helpfile.md @@ -0,0 +1,4 @@ +--- +category: fix +--- +* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. \ No newline at end of file diff --git a/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-metadata.md b/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-metadata.md new file mode 100644 index 00000000000..78f97da0f17 --- /dev/null +++ b/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-metadata.md @@ -0,0 +1,4 @@ +--- +category: queryMetadata +--- +* Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context. \ No newline at end of file diff --git a/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements.md b/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements.md index b78cc74e089..098c60a3753 100644 --- a/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements.md +++ b/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements.md @@ -1,6 +1,4 @@ --- category: majorAnalysis --- -* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. -* Adjusted `actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query. -* Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context. This will cause the same alerts to re-open for closed alerts of this query. \ No newline at end of file +* Adjusted `actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query. \ No newline at end of file