From 569e80b6784cece7a90f1ac70585d2e6dbfee133 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 9 Aug 2024 17:17:18 +0200 Subject: [PATCH] Fix ImproperAccess query --- ql/src/Security/CWE-285/ImproperAccessControl.ql | 13 +++++++++---- .../Security/CWE-285/ImproperAccessControl.expected | 2 +- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/ql/src/Security/CWE-285/ImproperAccessControl.ql b/ql/src/Security/CWE-285/ImproperAccessControl.ql index 2c7882604b2..ba002f16a87 100644 --- a/ql/src/Security/CWE-285/ImproperAccessControl.ql +++ b/ql/src/Security/CWE-285/ImproperAccessControl.ql @@ -17,9 +17,14 @@ import codeql.actions.security.ControlChecks from LocalJob job, LabelCheck check, MutableRefCheckoutStep checkout, Event event where job.isPrivileged() and - job.getATriggerEvent() = event and - event.getName() = "pull_request_target" and - event.getAnActivityType() = "synchronize" and - check.dominates(checkout) + job.getAStep() = checkout and + check.dominates(checkout) and + ( + job.getATriggerEvent() = event and + event.getName() = "pull_request_target" and + event.getAnActivityType() = "synchronize" + or + not exists(job.getATriggerEvent()) + ) select checkout, "The checked-out code can be modified after the authorization check $@.", check, check.toString() diff --git a/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected b/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected index 53dd12b9fb6..92f87dc1f35 100644 --- a/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected +++ b/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected @@ -1 +1 @@ -| .github/workflows/test1.yml:15:7:20:4 | Uses Step | The checked-out code can be changed after the authorization check o step $@. | .github/workflows/test1.yml:17:11:17:75 | contain ... test') | contain ... test') | +| .github/workflows/test1.yml:15:7:20:4 | Uses Step | The checked-out code can be modified after the authorization check $@. | .github/workflows/test1.yml:17:11:17:75 | contain ... test') | contain ... test') |