From cb9b01cbb7f12476df1be1a2cf2cb7397168b4e6 Mon Sep 17 00:00:00 2001
From: Asger F <asgerf@github.com>
Date: Mon, 1 May 2023 10:38:09 +0200
Subject: [PATCH] JS: Port new sources based on comment from JarLob

---
 .../ql/lib/semmle/javascript/frameworks/ActionsLib.qll      | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll b/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll
index 970c7d20ac5..c97cff73dfc 100644
--- a/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll
@@ -26,11 +26,13 @@ private API::Node taintSource() {
   or
   result = payload().getMember(["review", "review_comment", "comment"]).getMember("body")
   or
-  result = workflowRun().getMember("head_branch")
+  result = workflowRun().getMember(["head_branch", "display_title"])
+  or
+  result = workflowRun().getMember("head_repository").getMember("description")
   or
   result = commitObj().getMember("message")
   or
-  result = commitObj().getMember("author").getMember(["name", "email"])
+  result = commitObj().getMember(["author", "committer"]).getMember(["name", "email"])
 }
 
 private class GitHubActionsSource extends RemoteFlowSource {