diff --git a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql index 411d0052d4b..fe49b2dd3b5 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql @@ -30,7 +30,8 @@ where check.protects(source.getNode().asExpr(), event, "code-injection") ) and // excluding privileged workflows since they can be exploited in easier circumstances - not job.isPrivileged() and + // which is covered by `actions/code-injection/critical` + not job.isPrivilegedExternallyTriggerable(event) and ( // the workflow runs in the context of the default branch runsOnDefaultBranch(event) diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected index d9f659cbcc3..5c5c26edb4e 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected @@ -8,4 +8,3 @@ nodes subpaths #select | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | ${{ steps.modified_files.outputs.files_modified }} |