From 792e8555af5b5a6628ee1ab956b81ffdaafe3a96 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= <pwntester@github.com>
Date: Mon, 28 Oct 2024 11:56:59 +0100
Subject: [PATCH] fix: remove context 2 events mappings

client_paylaod (dispatch), commits (push), head_commit (push) and
merge_group are not under external attacker control so remove them
---
 ql/lib/ext/config/context_event_map.yml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/ql/lib/ext/config/context_event_map.yml b/ql/lib/ext/config/context_event_map.yml
index 35ccafc5bee..4d28fa778e0 100644
--- a/ql/lib/ext/config/context_event_map.yml
+++ b/ql/lib/ext/config/context_event_map.yml
@@ -40,14 +40,10 @@ extensions:
       - ["workflow_run", "github.event.workflow_run"]
       - ["workflow_run", "github.event.changes"] 
       # workflow_call receives the same event payload as the calling workflow
-      - ["workflow_call", "github.event.client_payload"]
       - ["workflow_call", "github.event.comment"] 
-      - ["workflow_call", "github.event.commits"]
       - ["workflow_call", "github.event.discussion"]
-      - ["workflow_call", "github.event.head_commit"]
       - ["workflow_call", "github.event.inputs"]
       - ["workflow_call", "github.event.issue"] 
-      - ["workflow_call", "github.event.merge_group"] 
       - ["workflow_call", "github.event.pages"] 
       - ["workflow_call", "github.event.pull_request"] 
       - ["workflow_call", "github.event.review"]