Fix expression always true query

2026-04-29 10:45:15 +02:00 · 2024-04-20 23:31:08 +02:00
parent 46d2bb24e5
commit 9183fb0d80
5 changed files with 47 additions and 9 deletions
--- a/ql/lib/qlpack.yml
+++ b/ql/lib/qlpack.yml
@@ -2,7 +2,7 @@
 library: true
 warnOnImplicitThis: true
 name: githubsecuritylab/actions-all
-version: 0.0.13
+version: 0.0.14
 dependencies:
  codeql/util: ^0.2.0
  codeql/yaml: ^0.1.2
--- a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql
+++ b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql
@@ -1,4 +1,6 @@
 /**
+ *:
+ *
 * @name If expression always true
 * @description Expressions used in If conditions with extra spaces are always true.
 * @kind problem
@@ -16,10 +18,10 @@ import actions
 from If i
 where
  i.getCondition().matches("%${{%") and
-  i.getConditionStyle() = ["|", ">"]
-  or
-  i.getCondition().matches("%${{%") and
-  not i.getCondition().matches("${{%")
+  (
+    not i.getCondition().matches("${{%") or
+    not i.getCondition().matches("%}}")
+  )
  or
  count(i.getCondition().splitAt("${{")) > 2
 select i, "Expression always evaluates to true"
--- a/ql/src/qlpack.yml
+++ b/ql/src/qlpack.yml
@@ -1,7 +1,7 @@
 ---
 library: false
 name: githubsecuritylab/actions-queries
-version: 0.0.13
+version: 0.0.14
 groups:
  - actions
  - queries
--- a/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml
+++ b/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml
@@ -8,7 +8,7 @@ jobs:
  process-pr:
    runs-on: ubuntu-latest
    steps:
-      - name: Test1 
+      - name: Test 1 
        if: 1 == 2
        run: echo "Test 1 should not be printed"
      - name: Test 2 
@@ -36,8 +36,8 @@ jobs:
      - name: Test 7
        run: echo "Test 7 should not be printed"
        if: ${{ 
-              1 == 2 ||
-              3 == 4
+              github.actor == 'torvalds' || 
+              github.actor == 'dependabot[bot]'
          }}

      - name: Test 8
@@ -58,3 +58,32 @@ jobs:
      - name: Test 12
        if:   " ${{ 1 == 2  }}"
        run: echo "Test 12 should not be printed"
+      - name: Test 13
+        if: |
+          1 == 2 ||
+          3 == 4
+        run: echo "Test 13 should not be printed"
+      - name: Test 14
+        if: >-
+          ${{(
+            false || 1 == 2
+          )}}
+        run: echo "Test 14 should not be printed"
+      - name: Test 15
+        if: |-
+          ${{(
+            false || 1 == 2
+          )}}
+        run: echo "Test 15 should not be printed"
+      - name: Test 16
+        if: |+
+          ${{(
+            false || 1 == 2
+          )}}
+        run: echo "Test 16 should not be printed"
+      - name: Test 17
+        if: >+
+          ${{(
+            false || 1 == 2
+          )}}
+        run: echo "Test 17 should not be printed"
--- a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.expected
+++ b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.expected
@@ -0,0 +1,7 @@
+| .github/workflows/test.yml:15:13:19:13 | \| | Expression always evaluates to true |
+| .github/workflows/test.yml:34:13:34:39 | ${{ 1 = ... == 2 }} | Expression always evaluates to true |
+| .github/workflows/test.yml:45:13:48:24 | >  | Expression always evaluates to true |
+| .github/workflows/test.yml:56:15:56:31 | " ${{ 1 == 2  }}" | Expression always evaluates to true |
+| .github/workflows/test.yml:59:15:59:31 | " ${{ 1 == 2  }}" | Expression always evaluates to true |
+| .github/workflows/test.yml:79:13:82:14 | \|+ | Expression always evaluates to true |
+| .github/workflows/test.yml:85:13:88:14 | >+ | Expression always evaluates to true |