Merge pull request #35 from github/default_branch_name

2025-12-28 22:56:32 +01:00 · 2024-05-15 17:57:25 +02:00
parent d5e679a340 00052d1ea1
commit d15dc68e43
5 changed files with 32 additions and 7 deletions
--- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll
+++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll
@@ -3,10 +3,16 @@ private import codeql.actions.DataFlow
 private import actions

 predicate workflowDataModel(
-  string path, string visibility, string job, string secrets_source, string permissions,
+  string path, string trigger, string job, string secrets_source, string permissions,
  string runner
 ) {
-  Extensions::workflowDataModel(path, visibility, job, secrets_source, permissions, runner)
+  Extensions::workflowDataModel(path, trigger, job, secrets_source, permissions, runner)
+}
+
+predicate repositoryDataModel(
+  string visibility, string default_branch_name
+) {
+  Extensions::repositoryDataModel(visibility, default_branch_name)
 }

 /**
--- a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll
+++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll
@@ -24,6 +24,10 @@ extensible predicate sinkModel(
 );

 extensible predicate workflowDataModel(
-  string path, string visibility, string job, string secrets_source, string permissions,
+  string path, string trigger, string job, string secrets_source, string permissions,
  string runner
 );
+
+extensible predicate repositoryDataModel(
+  string visibility, string default_branch_name
+);
--- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll
+++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll
@@ -1,4 +1,5 @@
 import actions
+import codeql.actions.dataflow.ExternalFlow

 string defaultBranchTriggerEvent() {
  result =
@@ -10,7 +11,17 @@ string defaultBranchTriggerEvent() {
    ]
 }

-string defaultBranchNames() { result = ["main", "master", "default"] }
+string defaultBranchNames() {
+  exists(string default_branch_name |
+    repositoryDataModel(_, default_branch_name) and
+    result = default_branch_name
+  )
+  or
+  not exists(string default_branch_name |
+    repositoryDataModel(_, default_branch_name)
+  ) and
+  result = ["main", "master"]
+}

 predicate runsOnDefaultBranch(Job j) {
  exists(Event e |
--- a/ql/lib/ext/workflow-models/workflow-models.yml
+++ b/ql/lib/ext/workflow-models/workflow-models.yml
@@ -1,4 +1,8 @@
 extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: repositoryDataModel
+    data: []
  - addsTo:
      pack: githubsecuritylab/actions-all
      extensible: workflowDataModel
--- a/ql/test/library-tests/workflowenum.ql
+++ b/ql/test/library-tests/workflowenum.ql
@@ -2,7 +2,7 @@ import actions
 import codeql.actions.dataflow.internal.ExternalFlowExtensions as Extensions

 from
-  string path, string visibility, string job, string secrets_source, string permissions,
+  string path, string trigger, string job, string secrets_source, string permissions,
  string runner
-where Extensions::workflowDataModel(path, visibility, job, secrets_source, permissions, runner)
-select visibility, path, job, secrets_source, permissions, runner
+where Extensions::workflowDataModel(path, trigger, job, secrets_source, permissions, runner)
+select trigger, path, job, secrets_source, permissions, runner