fix: do not require github.event.workflow_run.id as an argument for gh run download

Alvaro Muñoz · Alvaro Muñoz · commit 0ad7f08c9fc7 · 2024-10-28T16:15:47.000+01:00
diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
@@ -178,7 +178,6 @@ class GHRunArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {
   GHRunArtifactDownloadStep() {
     // eg: - run: gh run download ${{ github.event.workflow_run.id }} --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
     this.getScript().getACommand().regexpMatch(".*gh\\s+run\\s+download.*") and
-    this.getScript().getACommand().matches("%github.event.workflow_run.id%") and
     (
       this.getScript().getACommand().regexpMatch(unzipRegexp()) or
       this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp())

Original file line number	Diff line number	Diff line change
`@@ -178,7 +178,6 @@ class GHRunArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {`
`178`	`178`	`GHRunArtifactDownloadStep() {`
`179`	`179`	`// eg: - run: gh run download ${{ github.event.workflow_run.id }} --repo "${GITHUB_REPOSITORY}" --name "artifact_name"`
`180`	`180`	`this.getScript().getACommand().regexpMatch(".gh\\s+run\\s+download.") and`
`181`		`- this.getScript().getACommand().matches("%github.event.workflow_run.id%") and`
`182`	`181`	`(`
`183`	`182`	`this.getScript().getACommand().regexpMatch(unzipRegexp()) or`
`184`	`183`	`this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp())`