hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 00:35:20 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
ea30f02271b87429a0eb576e893e5181d40b53d9
codeql/actions/ql/src/Models/CompositeActionsSinks.ql
Nora Dimitrijević d36b721513 Actions/CompositeActionsSinks 
Same file uses source as endpoint
2025-10-28 09:38:55 +01:00

40 lines
1.1 KiB
Plaintext
Raw Blame History

/**
* @name Composite Action Sinks
* @description Actions passing input variables to expression injection sinks.
* @kind path-problem
* @problem.severity warning
* @security-severity 9.3
* @precision high
* @id actions/composite-action-sinks
* @tags actions
* model-generator
* external/cwe/cwe-020
*/
import actions
import codeql.actions.security.CodeInjectionQuery
import codeql.actions.TaintTracking
import codeql.actions.dataflow.ExternalFlow
private module MyConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
exists(CompositeAction c | c.getAnInput() = source.asExpr())
}
predicate isSink(DataFlow::Node sink) {
sink instanceof CodeInjectionSink and not madSink(sink, "code-injection")
}
predicate observeDiffInformedIncrementalMode() { any() }
}
module MyFlow = TaintTracking::Global<MyConfig>;
import MyFlow::PathGraph
from MyFlow::PathNode source, MyFlow::PathNode sink
where
MyFlow::flowPath(source, sink) and
source.getNode().getLocation().getFile() = sink.getNode().getLocation().getFile()
select sink.getNode(), source, sink, "Sink"
Reference in New Issue View Git Blame Copy Permalink