Remove label sanitizer because it is prone to race conditions

javascript/ql/src/experimental/Security/CWE-094/UntrustedCheckout.ql

@@ -17,7 +17,7 @@ import javascript
 import semmle.javascript.Actions
 
 /**
- * An action step that doesn't contain `actor` or `label` check in `if:` or
+ * An action step that doesn't contain `actor` check in `if:` or
  * the check requires manual analysis.
  */
 class ProbableStep extends Actions::Step {
@@ -29,25 +29,13 @@ class ProbableStep extends Actions::Step {
     // needs manual analysis if there is OR
     this.getIf().getValue().matches("%||%")
     or
-    // labels can be assigned by owners only
-    not exists(
-      this.getIf()
-          .getValue()
-          .regexpFind("\\bcontains\\s*\\(\\s*github\\s*\\.\\s*event\\s*\\.\\s*(?:issue|pull_request)\\s*\\.\\s*labels\\b",
-            _, _)
-    ) and
-    not exists(
-      this.getIf()
-          .getValue()
-          .regexpFind("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*label\\s*\\.\\s*name\\s*==", _, _)
-    ) and
     // actor check means only the user is able to run it
     not exists(this.getIf().getValue().regexpFind("\\bgithub\\s*\\.\\s*actor\\s*==", _, _))
   }
 }
 
 /**
- * An action job that doesn't contain `actor` or `label` check in `if:` or
+ * An action job that doesn't contain `actor` check in `if:` or
  * the check requires manual analysis.
  */
 class ProbableJob extends Actions::Job {
@@ -59,45 +47,19 @@ class ProbableJob extends Actions::Job {
     // needs manual analysis if there is OR
     this.getIf().getValue().matches("%||%")
     or
-    // labels can be assigned by owners only
-    not exists(
-      this.getIf()
-          .getValue()
-          .regexpFind("\\bcontains\\s*\\(\\s*github\\s*\\.\\s*event\\s*\\.\\s*(?:issue|pull_request)\\s*\\.\\s*labels\\b",
-            _, _)
-    ) and
-    not exists(
-      this.getIf()
-          .getValue()
-          .regexpFind("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*label\\s*\\.\\s*name\\s*==", _, _)
-    ) and
     // actor check means only the user is able to run it
     not exists(this.getIf().getValue().regexpFind("\\bgithub\\s*\\.\\s*actor\\s*==", _, _))
   }
 }
 
 /**
- * An action step that doesn't contain `actor` or `label` check in `if:` or
+ * on: pull_request_target
  */
 class ProbablePullRequestTarget extends Actions::On, YamlMappingLikeNode {
   ProbablePullRequestTarget() {
     exists(YamlNode prtNode |
       // The `on:` is triggered on `pull_request_target`
-      this.getNode("pull_request_target") = prtNode and
-      (
-        // and either doesn't contain `types` filter
-        not exists(prtNode.getAChild())
-        or
-        // or has the filter, that is something else than just [labeled]
-        exists(YamlMappingLikeNode prt, YamlMappingLikeNode types |
-          types = prt.getNode("types") and
-          prtNode = prt and
-          (
-            not types.getElementCount() = 1 or
-            not exists(types.getNode("labeled"))
-          )
-        )
-      )
+      this.getNode("pull_request_target") = prtNode
     )
   }
 }

javascript/ql/test/experimental/Security/CWE-094/UntrustedCheckout.expected

@@ -1,7 +1,13 @@
+| .github/workflows/pull_request_target_if_job.yml:9:7:12:2 | uses: a ... kout@v2 | Potential unsafe checkout of untrusted pull request on 'pull_request_target'. |
+| .github/workflows/pull_request_target_if_job.yml:16:7:19:2 | uses: a ... kout@v2 | Potential unsafe checkout of untrusted pull request on 'pull_request_target'. |
 | .github/workflows/pull_request_target_if_job.yml:30:7:33:2 | uses: a ... kout@v2 | Potential unsafe checkout of untrusted pull request on 'pull_request_target'. |
 | .github/workflows/pull_request_target_if_job.yml:36:7:38:54 | uses: a ... kout@v2 | Potential unsafe checkout of untrusted pull request on 'pull_request_target'. |
+| .github/workflows/pull_request_target_if_step.yml:9:7:14:4 | uses: a ... kout@v2 | Potential unsafe checkout of untrusted pull request on 'pull_request_target'. |
+| .github/workflows/pull_request_target_if_step.yml:14:7:19:4 | uses: a ... kout@v2 | Potential unsafe checkout of untrusted pull request on 'pull_request_target'. |
 | .github/workflows/pull_request_target_if_step.yml:24:7:29:4 | uses: a ... kout@v2 | Potential unsafe checkout of untrusted pull request on 'pull_request_target'. |
 | .github/workflows/pull_request_target_if_step.yml:29:7:31:54 | uses: a ... kout@v2 | Potential unsafe checkout of untrusted pull request on 'pull_request_target'. |
+| .github/workflows/pull_request_target_label_only.yml:10:7:12:54 | uses: a ... kout@v2 | Potential unsafe checkout of untrusted pull request on 'pull_request_target'. |
+| .github/workflows/pull_request_target_label_only_mapping.yml:11:7:13:54 | uses: a ... kout@v2 | Potential unsafe checkout of untrusted pull request on 'pull_request_target'. |
 | .github/workflows/pull_request_target_labels_mapping.yml:13:7:15:54 | uses: a ... kout@v2 | Potential unsafe checkout of untrusted pull request on 'pull_request_target'. |
 | .github/workflows/pull_request_target_labels_sequence.yml:10:7:12:54 | uses: a ... kout@v2 | Potential unsafe checkout of untrusted pull request on 'pull_request_target'. |
 | .github/workflows/pull_request_target_mapping.yml:8:7:10:54 | uses: a ... kout@v2 | Potential unsafe checkout of untrusted pull request on 'pull_request_target'. |