diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index 5db10e7823e..f10a90ee6ee 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -3,10 +3,16 @@ private import codeql.actions.DataFlow private import actions predicate workflowDataModel( - string path, string visibility, string job, string secrets_source, string permissions, + string path, string trigger, string job, string secrets_source, string permissions, string runner ) { - Extensions::workflowDataModel(path, visibility, job, secrets_source, permissions, runner) + Extensions::workflowDataModel(path, trigger, job, secrets_source, permissions, runner) +} + +predicate repositoryDataModel( + string visibility, string default_branch_name +) { + Extensions::repositoryDataModel(visibility, default_branch_name) } /** diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll index 529f7721e71..34f0297d799 100644 --- a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll +++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll @@ -24,6 +24,10 @@ extensible predicate sinkModel( ); extensible predicate workflowDataModel( - string path, string visibility, string job, string secrets_source, string permissions, + string path, string trigger, string job, string secrets_source, string permissions, string runner ); + +extensible predicate repositoryDataModel( + string visibility, string default_branch_name +); diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index ab0f2d0809a..318548859b5 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -1,4 +1,5 @@ import actions +import codeql.actions.dataflow.ExternalFlow string defaultBranchTriggerEvent() { result = @@ -10,7 +11,17 @@ string defaultBranchTriggerEvent() { ] } -string defaultBranchNames() { result = ["main", "master", "default"] } +string defaultBranchNames() { + exists(string default_branch_name | + repositoryDataModel(_, default_branch_name) and + result = default_branch_name + ) + or + not exists(string default_branch_name | + repositoryDataModel(_, default_branch_name) + ) and + result = ["main", "master"] +} predicate runsOnDefaultBranch(Job j) { exists(Event e | diff --git a/ql/lib/ext/workflow-models/workflow-models.yml b/ql/lib/ext/workflow-models/workflow-models.yml index f9f983be693..f71f2081c8f 100644 --- a/ql/lib/ext/workflow-models/workflow-models.yml +++ b/ql/lib/ext/workflow-models/workflow-models.yml @@ -1,4 +1,8 @@ extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: repositoryDataModel + data: [] - addsTo: pack: githubsecuritylab/actions-all extensible: workflowDataModel diff --git a/ql/test/library-tests/workflowenum.ql b/ql/test/library-tests/workflowenum.ql index 692d1eb706b..b3dc9185ec4 100644 --- a/ql/test/library-tests/workflowenum.ql +++ b/ql/test/library-tests/workflowenum.ql @@ -2,7 +2,7 @@ import actions import codeql.actions.dataflow.internal.ExternalFlowExtensions as Extensions from - string path, string visibility, string job, string secrets_source, string permissions, + string path, string trigger, string job, string secrets_source, string permissions, string runner -where Extensions::workflowDataModel(path, visibility, job, secrets_source, permissions, runner) -select visibility, path, job, secrets_source, permissions, runner +where Extensions::workflowDataModel(path, trigger, job, secrets_source, permissions, runner) +select trigger, path, job, secrets_source, permissions, runner