fix: take trigger events into consideration

Code Injection remote flow sources should be triggerable by the
privileged event

Author: Alvaro Muñoz

ql/src/Security/CWE-094/CodeInjectionCritical.ql

@@ -23,6 +23,7 @@ from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event
 where
   CodeInjectionFlow::flowPath(source, sink) and
   inPrivilegedContext(sink.getNode().asExpr(), event) and
+  source.getNode().(RemoteFlowSource).getEvent() = event and
   not exists(ControlCheck check | check.protects(sink.getNode().asExpr(), event, "code-injection")) and
   // exclude cases where the sink is a JS script and the expression uses toJson
   not exists(UsesStep script |
@@ -31,5 +32,6 @@ where
     exists(getAToJsonReferenceExpression(sink.getNode().asExpr().(Expression).getExpression(), _))
   )
 select sink.getNode(), source, sink,
-  "Potential code injection in $@, which may be controlled by an external user.", sink,
-  sink.getNode().asExpr().(Expression).getRawExpression()
+  "Potential code injection in $@, which may be controlled by an external user ($@).", sink,
+  sink.getNode().asExpr().(Expression).getRawExpression(), event,
+  event.getLocation().getFile().toString()

ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml

@@ -16,7 +16,7 @@ runs:
   using: 'composite'
   steps:
     - shell: bash
-      run: echo '${{ github.event.pull_request.body }}'
+      run: echo '${{ github.event.issue.body }}'
     - name: Step
       id: step 
       env:
@@ -25,7 +25,7 @@ runs:
       run: echo "result=$(echo $FOO)" >> $GITHUB_OUTPUT
     - id: step2
       env:
-        FOO2: ${{ github.event.pull_request.body }}
+        FOO2: ${{ github.event.issue.body }}
       shell: bash
       run: echo "result2=$(echo $FOO2)" >> $GITHUB_OUTPUT
     - name: Sink

ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml

@@ -0,0 +1,24 @@
+on:
+  push:
+    branches:
+      - main
+      - 'release/v*'
+  workflow_dispatch:
+    inputs:
+      version:
+        required: true
+        description: 'Release'
+        type: string
+
+jobs:
+  release-tag:
+    runs-on: ubuntu-latest
+    if: ${{ startsWith(github.event.head_commit.message, 'release:') }}
+    steps:
+      - name: Extract version and PR number from commit message
+        id: extract_info
+        shell: bash
+        run: |
+          echo "version=$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT
+          echo "pr_number=$( echo "${{ github.event.head_commit.message }}" | sed 's/.*(\#\([0-9]\+\)).*$/\1/' )" >> $GITHUB_OUTPUT
+          echo "release_branch=release/v$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT