Actions: CodeInjection

d10c · d10c · commit ff3a4b97fd66 · 2025-07-03T17:16:26.000+02:00
diff --git a/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
@@ -3,6 +3,8 @@ private import codeql.actions.TaintTracking
 private import codeql.actions.dataflow.ExternalFlow
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.DataFlow
+import codeql.actions.security.ControlChecks
+import codeql.actions.security.CachePoisoningQuery
 
 class CodeInjectionSink extends DataFlow::Node {
   CodeInjectionSink() {
@@ -36,8 +38,51 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
     )
   }
 
-  predicate observeDiffInformedIncrementalMode() {
-    any() // TODO: Make sure that the location overrides match the query's select clause: Column 7 does not select a source or sink originating from the flow call on line 23 (/Users/d10c/src/semmle-code/ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql@48:60:48:64), Column 7 does not select a source or sink originating from the flow call on line 24 (/Users/d10c/src/semmle-code/ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql@36:60:36:64)
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getLocation()
+    or
+    // where clause from CodeInjectionCritical.ql
+    exists(Event event, RemoteFlowSource source | result = event.getLocation() |
+      inPrivilegedContext(sink.asExpr(), event) and
+      isSource(source) and
+      source.getEventName() = event.getName() and
+      not exists(ControlCheck check | check.protects(sink.asExpr(), event, "code-injection")) and
+      // exclude cases where the sink is a JS script and the expression uses toJson
+      not exists(UsesStep script |
+        script.getCallee() = "actions/github-script" and
+        script.getArgumentExpr("script") = sink.asExpr() and
+        exists(getAToJsonReferenceExpression(sink.asExpr().(Expression).getExpression(), _))
+      )
+    )
+    or
+    // where clause from CachePoisoningViaCodeInjection.ql
+    exists(Event event, LocalJob job, DataFlow::Node source | result = event.getLocation() |
+      job = sink.asExpr().getEnclosingJob() and
+      job.getATriggerEvent() = event and
+      // job can be triggered by an external user
+      event.isExternallyTriggerable() and
+      // the checkout is not controlled by an access check
+      isSource(source) and
+      not exists(ControlCheck check | check.protects(source.asExpr(), event, "code-injection")) and
+      // excluding privileged workflows since they can be exploited in easier circumstances
+      // which is covered by `actions/code-injection/critical`
+      not job.isPrivilegedExternallyTriggerable(event) and
+      (
+        // the workflow runs in the context of the default branch
+        runsOnDefaultBranch(event)
+        or
+        // the workflow caller runs in the context of the default branch
+        event.getName() = "workflow_call" and
+        exists(ExternalJob caller |
+          caller.getCallee() = job.getLocation().getFile().getRelativePath() and
+          runsOnDefaultBranch(caller.getATriggerEvent())
+        )
+      )
+    )
   }
 }
 
