Apply suggestions from code review (comments)

Co-authored-by: Aditya Sharad <6874315+adityasharad@users.noreply.github.com>
2026-04-25 16:55:19 +02:00 · 2023-04-13 22:55:53 +02:00
parent 72b66ffe97
commit 8f1bccbb4d
2 changed files with 3 additions and 3 deletions
--- a/javascript/ql/lib/change-notes/2023-04-03-gh-injection.md
+++ b/javascript/ql/lib/change-notes/2023-04-03-gh-injection.md
@@ -1,4 +1,4 @@
 ---
 category: minorAnalysis
 ---
-* Fixes and improvements in GitHub Actions Injection query.
+* Improved the queries for injection vulnerabilities in GitHub Actions workflows (`js/actions/command-injection` and `js/actions/pull-request-target`) and the associated library `semmle.javascript.Actions`. These now support steps defined in composite actions, in addition to steps defined in Actions workflow files.
--- a/javascript/ql/lib/semmle/javascript/Actions.qll
+++ b/javascript/ql/lib/semmle/javascript/Actions.qll
@@ -234,10 +234,10 @@ module Actions {
    /** Gets the 0-based position of this step within the sequence of `steps`. */
    int getIndex() { result = index }

-    /** Gets the `job` this step belongs to. The step may belong to a `job` in a workflow or `runs` in a custom action. */
+    /** Gets the `job` this step belongs to, if the step belongs to a `job` in a workflow. Has no result if the step belongs to `runs` in a custom action. */
    Job getJob() { result = parent }

-    /** Gets the `runs` this step belongs to. The step may belong to a `job` in a workflow or `runs` in a custom action. */
+    /** Gets the `runs` this step belongs to, if the step belongs to a `runs` in a custom action. Has no result if the step belongs to a `job` in a workflow. */
    Runs getRuns() { result = parent }

    /** Gets the value of the `uses` field in this step, if any. */