Add trigger event checks for all checkout models

Alvaro Muñoz · Alvaro Muñoz · commit 0738a66380d8 · 2024-10-23T09:37:01.000+02:00
diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
@@ -283,6 +283,7 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep {
 class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run {
   GitMutableRefCheckout() {
     exists(string cmd | this.getScript().getACommand() = cmd |
+      this.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() and
       cmd.regexpMatch("git\\s+(fetch|pull).*") and
       (
         (containsHeadRef(cmd) or containsPullRequestNumber(cmd))
@@ -306,6 +307,7 @@ class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run {
 class GitSHACheckout extends SHACheckoutStep instanceof Run {
   GitSHACheckout() {
     exists(string cmd | this.getScript().getACommand() = cmd |
+      this.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() and
       cmd.regexpMatch("git\\s+(fetch|pull).*") and
       (
         containsHeadSHA(cmd)
@@ -326,6 +328,7 @@ class GitSHACheckout extends SHACheckoutStep instanceof Run {
 class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run {
   GhMutableRefCheckout() {
     exists(string cmd | this.getScript().getACommand() = cmd |
+      this.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() and
       cmd.regexpMatch(".*(gh|hub)\\s+pr\\s+checkout.*") and
       (
         (containsHeadRef(cmd) or containsPullRequestNumber(cmd))
@@ -348,6 +351,7 @@ class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run {
 class GhSHACheckout extends SHACheckoutStep instanceof Run {
   GhSHACheckout() {
     exists(string cmd | this.getScript().getACommand() = cmd |
+      this.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() and
       cmd.regexpMatch("gh\\s+pr\\s+checkout.*") and
       (
         containsHeadSHA(cmd)
diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test24.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test24.yml
@@ -0,0 +1,20 @@
+on: [ workflow_dispatch, pull_request ]
+jobs:
+  test:
+    runs-on: ubuntu-20.04
+    if: github.event_name == 'pull_request'
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v2
+
+      - name: Fetch base and head on PR
+        if: ${{ github.event.pull_request.base.sha }}
+        run: |
+          git fetch origin master ${{ github.event.pull_request.base.sha }}
+          git fetch origin master ${{ github.event.pull_request.head.sha }}
+
+      - name: Check that Pull Request includes updating the Version
+        run: |
+          git show ${{ github.event.pull_request.base.sha }}:src/mplfinance/_version.py > scripts/tv0.py
+          git show ${{ github.sha }}:src/mplfinance/_version.py > scripts/tv1.py
+          python scripts/version_update_check.py tv0 tv1
diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.actual b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.actual
