Fix ImproperAccess query

2025-12-28 06:36:33 +01:00 · 2024-08-09 17:17:18 +02:00
parent 9411fac4d0
commit 569e80b678
2 changed files with 10 additions and 5 deletions
--- a/ql/src/Security/CWE-285/ImproperAccessControl.ql
+++ b/ql/src/Security/CWE-285/ImproperAccessControl.ql
@@ -17,9 +17,14 @@ import codeql.actions.security.ControlChecks
 from LocalJob job, LabelCheck check, MutableRefCheckoutStep checkout, Event event
 where
  job.isPrivileged() and
-  job.getATriggerEvent() = event and
-  event.getName() = "pull_request_target" and
-  event.getAnActivityType() = "synchronize" and
-  check.dominates(checkout)
+  job.getAStep() = checkout and
+  check.dominates(checkout) and
+  (
+    job.getATriggerEvent() = event and
+    event.getName() = "pull_request_target" and
+    event.getAnActivityType() = "synchronize"
+    or
+    not exists(job.getATriggerEvent())
+  )
 select checkout, "The checked-out code can be modified after the authorization check $@.", check,
  check.toString()
--- a/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected
+++ b/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected
@@ -1 +1 @@
-| .github/workflows/test1.yml:15:7:20:4 | Uses Step | The checked-out code can be changed after the authorization check o step $@. | .github/workflows/test1.yml:17:11:17:75 | contain ...  test') | contain ...  test') |
+| .github/workflows/test1.yml:15:7:20:4 | Uses Step | The checked-out code can be modified after the authorization check $@. | .github/workflows/test1.yml:17:11:17:75 | contain ...  test') | contain ...  test') |