From e28ad1d644e50148ec8efb43e85519658b9d88ec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= <pwntester@github.com>
Date: Thu, 16 May 2024 10:28:24 +0200
Subject: [PATCH] Reduce FP for actor/association checks that cannot be
 bypassed this way

---
 ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql | 2 +-
 ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
index c5e12c0fccc..a3fcc9e0403 100644
--- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
+++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
@@ -15,7 +15,7 @@ import actions
 import codeql.actions.security.UntrustedCheckoutQuery
 import codeql.actions.security.PoisonableSteps
 
-from ControlCheck check, MutableRefCheckoutStep checkout
+from LabelControlCheck check, MutableRefCheckoutStep checkout
 where
   // the mutable checkout step is protected by an access check
   check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and
diff --git a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
index b74c3389f9d..562fc0809b7 100644
--- a/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
+++ b/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
@@ -15,7 +15,7 @@ import actions
 import codeql.actions.security.UntrustedCheckoutQuery
 import codeql.actions.security.PoisonableSteps
 
-from ControlCheck check, MutableRefCheckoutStep checkout
+from LabelControlCheck check, MutableRefCheckoutStep checkout
 where
   // the mutable checkout step is protected by an access check
   check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and