From 645177cc8083e2d6f249ec1feaba5b8d9687ef9e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= <pwntester@github.com>
Date: Mon, 26 Feb 2024 09:39:42 +0100
Subject: [PATCH] Account for github.event.label check as a sanitizer for
 untrusted checkout

---
 ql/src/Security/CWE-094/UntrustedCheckout.ql | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ql/src/Security/CWE-094/UntrustedCheckout.ql b/ql/src/Security/CWE-094/UntrustedCheckout.ql
index 25d05f1b7c2..9c9b5f9eb26 100644
--- a/ql/src/Security/CWE-094/UntrustedCheckout.ql
+++ b/ql/src/Security/CWE-094/UntrustedCheckout.ql
@@ -25,7 +25,10 @@ class ActorCheckStmt extends IfStmt {
  * An If node that contains a `label` check
  */
 class LabelCheckStmt extends IfStmt {
-  LabelCheckStmt() { this.getCondition().regexpMatch(".*github\\.event\\.pull_request\\.labels.*") }
+  LabelCheckStmt() {
+    this.getCondition().regexpMatch(".*github\\.event\\.pull_request\\.labels.*") or
+    this.getCondition().regexpMatch(".*github\\.event\\.label\\.name.*")
+  }
 }
 
 from WorkflowStmt w, JobStmt job, StepUsesExpr checkoutStep