From 87ea442a78571cbd01eb80ba425fde2b9c0889fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Mon, 15 Mar 2021 18:47:45 +0200 Subject: [PATCH] qhelp --- .../experimental/Security/CWE-094/UntrustedCheckout.qhelp | 5 +++-- .../experimental/Security/CWE-094/examples/comment_pr.yml | 1 - .../experimental/Security/CWE-094/examples/receive_pr.yml | 1 - 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/javascript/ql/src/experimental/Security/CWE-094/UntrustedCheckout.qhelp b/javascript/ql/src/experimental/Security/CWE-094/UntrustedCheckout.qhelp index b210616d82f..4833b50d8e2 100644 --- a/javascript/ql/src/experimental/Security/CWE-094/UntrustedCheckout.qhelp +++ b/javascript/ql/src/experimental/Security/CWE-094/UntrustedCheckout.qhelp @@ -46,12 +46,13 @@

- The following examples use two triggers to handle potentially untrusted - pull request in a secure manner: + The following example uses two workflows to handle potentially untrusted + pull request in a secure manner. The receive_pr.yml is triggered first:

+

The comment_pr.yml is triggered after receive_pr.yml completes:

diff --git a/javascript/ql/src/experimental/Security/CWE-094/examples/comment_pr.yml b/javascript/ql/src/experimental/Security/CWE-094/examples/comment_pr.yml index 6b4ec61ddea..e496b1449a0 100644 --- a/javascript/ql/src/experimental/Security/CWE-094/examples/comment_pr.yml +++ b/javascript/ql/src/experimental/Security/CWE-094/examples/comment_pr.yml @@ -1,4 +1,3 @@ -# comment_pr.yml name: Comment on the pull request # read-write repo token diff --git a/javascript/ql/src/experimental/Security/CWE-094/examples/receive_pr.yml b/javascript/ql/src/experimental/Security/CWE-094/examples/receive_pr.yml index c0e46bdd431..7104bce8bf3 100644 --- a/javascript/ql/src/experimental/Security/CWE-094/examples/receive_pr.yml +++ b/javascript/ql/src/experimental/Security/CWE-094/examples/receive_pr.yml @@ -1,4 +1,3 @@ -# receive_pr.yml name: Receive PR # read-only repo token