From 0473c3824f46c74b04dbf80ac762751a9c83f090 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= <pwntester@github.com>
Date: Tue, 14 May 2024 11:38:39 +0200
Subject: [PATCH 1/2] Treat branch-deploy action as a source of HEAD ref for
 untrusted checkouts

---
 .../actions/security/UntrustedCheckoutQuery.qll      | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
index 10a45830324..421af3be8ab 100644
--- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
+++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
@@ -92,9 +92,15 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt
       or
       // 3rd party actions returning the PR head sha/ref
       exists(UsesStep step |
-        step.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and
-        // TODO: This should be read step of the head_sha or head_ref output vars
-        this.getArgument("ref").regexpMatch(".*head_ref.*") and
+        (
+          step.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and
+          // TODO: This should be read step of the head_sha or head_ref output vars
+          this.getArgument("ref").matches("%.head_ref%")
+          or
+          step.getCallee() = ["github/branch-deploy"] and
+          // TODO: This should be read step of the ref output var
+          this.getArgument("ref").matches("%.ref%")
+        ) and
         DataFlow::hasLocalFlowExpr(step, this.getArgumentExpr("ref"))
       )
       or

From a0939bb0a3dfc8fbbccd7c055ac2715fabede49c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= <pwntester@github.com>
Date: Tue, 14 May 2024 15:29:45 +0200
Subject: [PATCH 2/2] Bump qlpack versions

---
 ql/lib/qlpack.yml | 2 +-
 ql/src/qlpack.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml
index e68a4c67cc4..acfc1c7e210 100644
--- a/ql/lib/qlpack.yml
+++ b/ql/lib/qlpack.yml
@@ -2,7 +2,7 @@
 library: true
 warnOnImplicitThis: true
 name: githubsecuritylab/actions-all
-version: 0.0.22
+version: 0.0.23
 dependencies:
   codeql/util: ^0.2.0
   codeql/yaml: ^0.1.2
diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml
index 465be503e7c..efafbbb55ba 100644
--- a/ql/src/qlpack.yml
+++ b/ql/src/qlpack.yml
@@ -1,7 +1,7 @@
 ---
 library: false
 name: githubsecuritylab/actions-queries
-version: 0.0.22
+version: 0.0.23
 groups:
   - actions
   - queries