Skip to content

Commit aa9fab3

Browse files
d10cd10c
committed
Actions: ArtifactPoisoning
1 parent 4e7cf07 commit aa9fab3

File tree

1 file changed

+12
-2
lines changed

1 file changed

+12
-2
lines changed

actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ import codeql.actions.DataFlow
44
import codeql.actions.dataflow.FlowSources
55
import codeql.actions.security.PoisonableSteps
66
import codeql.actions.security.UntrustedCheckoutQuery
7+
import codeql.actions.security.ControlChecks
78

89
string unzipRegexp() { result = "(unzip|tar)\\s+.*" }
910

@@ -317,8 +318,17 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig {
317318
)
318319
}
319320

320-
predicate observeDiffInformedIncrementalMode() {
321-
any() // TODO: Make sure that the location overrides match the query's select clause: Column 7 does not select a source or sink originating from the flow call on line 21 (/Users/d10c/src/semmle-code/ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql@28:30:28:34)
321+
predicate observeDiffInformedIncrementalMode() { any() }
322+
323+
Location getASelectedSourceLocation(DataFlow::Node source) { none() }
324+
325+
Location getASelectedSinkLocation(DataFlow::Node sink) {
326+
result = sink.getLocation()
327+
or
328+
exists(Event event | result = event.getLocation() |
329+
inPrivilegedContext(sink.asExpr(), event) and
330+
not exists(ControlCheck check | check.protects(sink.asExpr(), event, "artifact-poisoning"))
331+
)
322332
}
323333
}
324334

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy