hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-11 13:40:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

Account for github.event.label check as a sanitizer for untrusted checkout

Browse Source
This commit is contained in:
Alvaro Muñoz
2024-02-26 09:39:42 +01:00
parent 1458434504
commit 645177cc80
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
ql/src/Security/CWE-094/UntrustedCheckout.ql
View File

@@ -25,7 +25,10 @@ class ActorCheckStmt extends IfStmt {
* An If node that contains a `label` check
*/
class LabelCheckStmt extends IfStmt {
LabelCheckStmt() { this.getCondition().regexpMatch(".*github\\.event\\.pull_request\\.labels.*") }
LabelCheckStmt() {
this.getCondition().regexpMatch(".*github\\.event\\.pull_request\\.labels.*") or
this.getCondition().regexpMatch(".*github\\.event\\.label\\.name.*")
}
}
from WorkflowStmt w, JobStmt job, StepUsesExpr checkoutStep