From f4dc86e645ff20f7c42ff35ec28f2bbd3f8b3009 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Thu, 4 Jun 2026 18:18:08 +0100 Subject: [PATCH] Correct query metadata for `actions/untrusted-checkout/medium` --- .../CWE-829/UntrustedCheckoutMedium.ql | 10 +++++----- ...6-04-untrusted-checkout-medium-metadata.md | 4 ++++ .../CWE-829/UntrustedCheckoutMedium.expected | 20 +++++++++---------- 3 files changed, 19 insertions(+), 15 deletions(-) create mode 100644 actions/ql/src/change-notes/2026-06-04-untrusted-checkout-medium-metadata.md diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql b/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql index ca68c7fffd1..fc4b8b11257 100644 --- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql +++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql @@ -1,8 +1,8 @@ /** - * @name Checkout of untrusted code in a trusted context - * @description Privileged workflows have read/write access to the base repository and access to secrets. - * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment - * that is able to push to the base repository and to access secrets. + * @name Checkout of untrusted code in a non-privileged context + * @description Checking out and running the build script from a fork executes untrusted code. Even in a + * non-privileged workflow, this can be abused, for example to compromise self-hosted runners + * or to poison caches and artifacts that are later consumed by privileged workflows. * @kind problem * @problem.severity warning * @precision medium @@ -20,4 +20,4 @@ from PRHeadCheckoutStep checkout where // the checkout occurs in a non-privileged context inNonPrivilegedContext(checkout) -select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow." +select checkout, "Potential unsafe checkout of untrusted pull request on non-privileged workflow." diff --git a/actions/ql/src/change-notes/2026-06-04-untrusted-checkout-medium-metadata.md b/actions/ql/src/change-notes/2026-06-04-untrusted-checkout-medium-metadata.md new file mode 100644 index 00000000000..cb082fc63a5 --- /dev/null +++ b/actions/ql/src/change-notes/2026-06-04-untrusted-checkout-medium-metadata.md @@ -0,0 +1,4 @@ +--- +category: queryMetadata +--- +* The name, description, and alert message of `actions/untrusted-checkout/medium` have been corrected to describe a non-privileged context. diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected index 2b9bf3f2b79..cb5e652d560 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected +++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected @@ -1,10 +1,10 @@ -| .github/workflows/artifactpoisoning81.yml:11:9:14:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/poc.yml:30:9:36:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/test3.yml:28:9:33:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/test4.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/test8.yml:20:9:26:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | -| .github/workflows/test9.yml:11:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/artifactpoisoning81.yml:11:9:14:6 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. | +| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. | +| .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. | +| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. | +| .github/workflows/test3.yml:28:9:33:6 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. | +| .github/workflows/test4.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. | +| .github/workflows/test8.yml:20:9:26:6 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. | +| .github/workflows/test9.yml:11:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. |