Add new control checks using octokit/request-action

Alvaro Muñoz · Alvaro Muñoz · commit a1047d155c1d · 2024-10-17T14:48:53.000+02:00
diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll
@@ -256,6 +256,9 @@ class AssociationActionCheck extends AssociationCheck instanceof UsesStep {
     or
     this.getCallee() = "actions/github-script" and
     this.getArgument("script").splitAt("\n").matches("%getMembershipForUserInOrg%")
+    or
+    this.getCallee() = "octokit/request-action" and
+    this.getArgument("route").regexpMatch("GET.*(memberships).*")
   }
 }
 
@@ -279,6 +282,9 @@ class PermissionActionCheck extends PermissionCheck instanceof UsesStep {
     or
     this.getCallee() = "actions/github-script" and
     this.getArgument("script").splitAt("\n").matches("%getCollaboratorPermissionLevel%")
+    or
+    this.getCallee() = "octokit/request-action" and
+    this.getArgument("route").regexpMatch("GET.*(collaborators|permission).*")
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -256,6 +256,9 @@ class AssociationActionCheck extends AssociationCheck instanceof UsesStep {`
`256`	`256`	`or`
`257`	`257`	`this.getCallee() = "actions/github-script" and`
`258`	`258`	`this.getArgument("script").splitAt("\n").matches("%getMembershipForUserInOrg%")`
	`259`	`+ or`
	`260`	`+ this.getCallee() = "octokit/request-action" and`
	`261`	`+ this.getArgument("route").regexpMatch("GET.(memberships).")`
`259`	`262`	`}`
`260`	`263`	`}`
`261`	`264`
`@@ -279,6 +282,9 @@ class PermissionActionCheck extends PermissionCheck instanceof UsesStep {`
`279`	`282`	`or`
`280`	`283`	`this.getCallee() = "actions/github-script" and`
`281`	`284`	`this.getArgument("script").splitAt("\n").matches("%getCollaboratorPermissionLevel%")`
	`285`	`+ or`
	`286`	`+ this.getCallee() = "octokit/request-action" and`
	`287`	`+ this.getArgument("route").regexpMatch("GET.(collaborators\|permission).")`
`282`	`288`	`}`
`283`	`289`	`}`
`284`	`290`