From f513a19c243bbd4c0c82ce3d9714078fc3dfed0f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= <pwntester@github.com>
Date: Fri, 23 Feb 2024 11:53:47 +0100
Subject: [PATCH] fix: restrict EnvCtxAccessExpr to Env decarlations on the
 same file

---
 ql/lib/codeql/actions/Ast.qll | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll
index 339daf5365e..68469ef2467 100644
--- a/ql/lib/codeql/actions/Ast.qll
+++ b/ql/lib/codeql/actions/Ast.qll
@@ -500,15 +500,10 @@ class InputsCtxAccessExpr extends CtxAccessExpr {
   override string getFieldName() { result = fieldName }
 
   override Expression getRefExpr() {
-    exists(ReusableWorkflowStmt w |
-      w.getLocation().getFile() = this.getLocation().getFile() and
-      w.getInputsStmt().getInputExpr(fieldName) = result
-    )
+    result.getLocation().getFile() = this.getLocation().getFile() and
+    exists(ReusableWorkflowStmt w | w.getInputsStmt().getInputExpr(fieldName) = result)
     or
-    exists(CompositeActionStmt a |
-      a.getLocation().getFile() = this.getLocation().getFile() and
-      a.getInputsStmt().getInputExpr(fieldName) = result
-    )
+    exists(CompositeActionStmt a | a.getInputsStmt().getInputExpr(fieldName) = result)
   }
 }
 
@@ -528,6 +523,7 @@ class EnvCtxAccessExpr extends CtxAccessExpr {
   override string getFieldName() { result = fieldName }
 
   override Expression getRefExpr() {
+    result.getLocation().getFile() = this.getLocation().getFile() and
     exists(JobUsesExpr s | s.getEnvExpr(fieldName) = result)
     or
     exists(StepUsesExpr s | s.getEnvExpr(fieldName) = result)