Enforce a checkout kind of trigger to consider gh pr/gh api ... pulls as a source of untrusted data

Alvaro Muñoz · Alvaro Muñoz · commit c9bb42a46ce0 · 2024-10-23T12:14:20.000+02:00
diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll
@@ -129,7 +129,13 @@ class GhCLICommandSource extends RemoteFlowSource, CommandSource {
       run.getScript().getAStmt() = cmd and
       cmd.indexOf("gh ") = 0 and
       untrustedGhCommandDataModel(cmd_regex, flag) and
-      cmd.regexpMatch(cmd_regex + ".*")
+      cmd.regexpMatch(cmd_regex + ".*") and
+      (
+        cmd.regexpMatch(".*\\b(pr|pulls)\\b.*") and
+        run.getATriggerEvent().getName() = checkoutTriggers()
+        or
+        not cmd.regexpMatch(".*\\b(pr|pulls)\\b.*")
+      )
     )
   }
 

Original file line number	Diff line number	Diff line change
`@@ -129,7 +129,13 @@ class GhCLICommandSource extends RemoteFlowSource, CommandSource {`
`129`	`129`	`run.getScript().getAStmt() = cmd and`
`130`	`130`	`cmd.indexOf("gh ") = 0 and`
`131`	`131`	`untrustedGhCommandDataModel(cmd_regex, flag) and`
`132`		`- cmd.regexpMatch(cmd_regex + ".*")`
	`132`	`+ cmd.regexpMatch(cmd_regex + ".*") and`
	`133`	`+ (`
	`134`	`+ cmd.regexpMatch(".\\b(pr\|pulls)\\b.") and`
	`135`	`+ run.getATriggerEvent().getName() = checkoutTriggers()`
	`136`	`+ or`
	`137`	`+ not cmd.regexpMatch(".\\b(pr\|pulls)\\b.")`
	`138`	`+ )`
`133`	`139`	`)`
`134`	`140`	`}`
`135`	`141`