hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-11 05:30:24 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: restrict EnvCtxAccessExpr to Env decarlations on the same file

Browse Source
This commit is contained in:
Alvaro Muñoz
2024-02-23 11:53:47 +01:00
parent 68f15f2b85
commit f513a19c24
1 changed files with 4 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
ql/lib/codeql/actions/Ast.qll
View File

@@ -500,15 +500,10 @@ class InputsCtxAccessExpr extends CtxAccessExpr {
override string getFieldName() { result = fieldName }
override Expression getRefExpr() {
exists(ReusableWorkflowStmt w |
w.getLocation().getFile() = this.getLocation().getFile() and
w.getInputsStmt().getInputExpr(fieldName) = result
)
result.getLocation().getFile() = this.getLocation().getFile() and
exists(ReusableWorkflowStmt w | w.getInputsStmt().getInputExpr(fieldName) = result)
or
exists(CompositeActionStmt a |
a.getLocation().getFile() = this.getLocation().getFile() and
a.getInputsStmt().getInputExpr(fieldName) = result
)
exists(CompositeActionStmt a | a.getInputsStmt().getInputExpr(fieldName) = result)
}
}
@@ -528,6 +523,7 @@ class EnvCtxAccessExpr extends CtxAccessExpr {
override string getFieldName() { result = fieldName }
override Expression getRefExpr() {
result.getLocation().getFile() = this.getLocation().getFile() and
exists(JobUsesExpr s | s.getEnvExpr(fieldName) = result)
or
exists(StepUsesExpr s | s.getEnvExpr(fieldName) = result)