hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-09 04:30:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

Minor improvemnts

Browse Source
This commit is contained in:
Alvaro Muñoz
2024-06-13 11:51:15 +02:00
parent ceac1c6392
commit a84c1c4706
2 changed files with 10 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
View File

@@ -20,12 +20,13 @@ class DownloadArtifactActionStep extends UntrustedArtifactDownloadStep, UsesStep
DownloadArtifactActionStep() {
this.getCallee() =
[
"dawidd6/action-download-artifact", "marcofaggian/action-download-multiple-artifacts",
"benday-inc/download-latest-artifact", "blablacar/action-download-last-artifact",
"levonet/action-download-last-artifact", "bettermarks/action-artifact-download",
"aochmann/actions-download-artifact", "cytopia/download-artifact-retry-action",
"alextompkins/download-prior-artifact", "nmerget/download-gzip-artifact",
"benday-inc/download-artifact", "synergy-au/download-workflow-artifacts-action",
"actions/download-artifact", "dawidd6/action-download-artifact",
"marcofaggian/action-download-multiple-artifacts", "benday-inc/download-latest-artifact",
"blablacar/action-download-last-artifact", "levonet/action-download-last-artifact",
"bettermarks/action-artifact-download", "aochmann/actions-download-artifact",
"cytopia/download-artifact-retry-action", "alextompkins/download-prior-artifact",
"nmerget/download-gzip-artifact", "benday-inc/download-artifact",
"synergy-au/download-workflow-artifacts-action", "ishworkh/docker-image-artifact-download",
"ishworkh/container-image-artifact-download", "sidx1024/action-download-artifact",
"hyperskill/azblob-download-artifact", "ma-ve/action-download-artifact-with-retry"
] and

5
ql/lib/codeql/actions/security/PoisonableSteps.qll
View File

@@ -19,10 +19,11 @@ class DangerousActionUsesStep extends PoisonableStep, UsesStep {
private string dangerousCommands() {
result =
[
"npm install", "npm run ", "yarn ", "npm ci(\\b|$)", "make ", "terraform plan",
"npm i(nstall)?(\\b|$)", "npm run ", "yarn ", "npm ci(\\b|$)", "make ", "terraform plan",
"terraform apply", "gomplate ", "pre-commit run", "pre-commit install", "go generate",
"msbuild ", "mvn ", "gradle ", "bundle install", "bundle exec ", "^ant ", "mkdocs build",
"pytest", "pip install -r ", "pip install --requirement", "java -jar "
"pytest", "pip install -r ", "pip install --requirement", "java -jar ", "poetry install",
"poetry run"
]
}