From 726392c8b7b65f6efadad21c1ef353c7b56d0fea Mon Sep 17 00:00:00 2001 From: Rasmus Wriedt Larsen Date: Tue, 1 Oct 2024 09:48:16 +0200 Subject: [PATCH] Suppress `actions/cache-poisoning/code-injection` alerts covered by `actions/code-injection/critical` --- ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql | 3 ++- .../Security/CWE-349/CachePoisoningViaCodeInjection.expected | 1 - 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql index 411d0052d4b..fe49b2dd3b5 100644 --- a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql +++ b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql @@ -30,7 +30,8 @@ where check.protects(source.getNode().asExpr(), event, "code-injection") ) and // excluding privileged workflows since they can be exploited in easier circumstances - not job.isPrivileged() and + // which is covered by `actions/code-injection/critical` + not job.isPrivilegedExternallyTriggerable(event) and ( // the workflow runs in the context of the default branch runsOnDefaultBranch(event) diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected index d9f659cbcc3..5c5c26edb4e 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected @@ -8,4 +8,3 @@ nodes subpaths #select | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | ${{ steps.modified_files.outputs.files_modified }} |