JS: Port new sources based on comment from JarLob

2025-12-21 11:16:30 +01:00 · 2023-05-01 10:38:09 +02:00
parent 3d208c0a62
commit cb9b01cbb7
1 changed files with 4 additions and 2 deletions
--- a/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll
@@ -26,11 +26,13 @@ private API::Node taintSource() {
  or
  result = payload().getMember(["review", "review_comment", "comment"]).getMember("body")
  or
-  result = workflowRun().getMember("head_branch")
+  result = workflowRun().getMember(["head_branch", "display_title"])
+  or
+  result = workflowRun().getMember("head_repository").getMember("description")
  or
  result = commitObj().getMember("message")
  or
-  result = commitObj().getMember("author").getMember(["name", "email"])
+  result = commitObj().getMember(["author", "committer"]).getMember(["name", "email"])
 }

 private class GitHubActionsSource extends RemoteFlowSource {