Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit fb841ea

Browse filesBrowse files
owen-mcowen-mc
committed
Make predicates containing query logic more self-contained
1 parent 8bac1de commit fb841ea
Copy full SHA for fb841ea

3 files changed

+20-18Lines changed: 20 additions & 18 deletions

File tree

Expand file treeCollapse file tree
Open diff view settings
Filter options
Expand file treeCollapse file tree
Open diff view settings
Collapse file

‎actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll‎

Copy file name to clipboardExpand all lines: actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
+18-12Lines changed: 18 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -93,23 +93,29 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
9393
module CodeInjectionFlow = TaintTracking::Global<CodeInjectionConfig>;
9494

9595
/**
96-
* Holds if the flow from `source` to `sink` has critical severity and they are
97-
* linked by `event`.
96+
* Holds if there is a code injection flow from `source` to `sink` with
97+
* critical severity, linked by `event`.
9898
*/
99-
pragma[inline]
100-
predicate criticalSeverity(DataFlow::Node source, DataFlow::Node sink, Event event) {
101-
event = getRelevantCriticalEventForSink(sink) and
102-
source.(RemoteFlowSource).getEventName() = event.getName()
99+
predicate criticalSeverityCodeInjection(
100+
CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event event
101+
) {
102+
CodeInjectionFlow::flowPath(source, sink) and
103+
event = getRelevantCriticalEventForSink(sink.getNode()) and
104+
source.getNode().(RemoteFlowSource).getEventName() = event.getName()
103105
}
104106

105-
/** Holds if the flow from `source` to `sink` has medium severity. */
106-
pragma[inline]
107-
predicate mediumSeverity(DataFlow::Node source, DataFlow::Node sink) {
108-
not criticalSeverity(source, sink, _) and
107+
/**
108+
* Holds if there is a code injection flow from `source` to `sink` with medium severity.
109+
*/
110+
predicate mediumSeverityCodeInjection(
111+
CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
112+
) {
113+
CodeInjectionFlow::flowPath(source, sink) and
114+
not criticalSeverityCodeInjection(source, sink, _) and
109115
// exclude cases where the sink is a JS script and the expression uses toJson
110116
not exists(UsesStep script |
111117
script.getCallee() = "actions/github-script" and
112-
script.getArgumentExpr("script") = sink.asExpr() and
113-
exists(getAToJsonReferenceExpression(sink.asExpr().(Expression).getExpression(), _))
118+
script.getArgumentExpr("script") = sink.getNode().asExpr() and
119+
exists(getAToJsonReferenceExpression(sink.getNode().asExpr().(Expression).getExpression(), _))
114120
)
115121
}
Collapse file

‎actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql‎

Copy file name to clipboardExpand all lines: actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
+1-3Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -20,9 +20,7 @@ import CodeInjectionFlow::PathGraph
2020
import codeql.actions.security.ControlChecks
2121

2222
from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event event
23-
where
24-
CodeInjectionFlow::flowPath(source, sink) and
25-
criticalSeverity(source.getNode(), sink.getNode(), event)
23+
where criticalSeverityCodeInjection(source, sink, event)
2624
select sink.getNode(), source, sink,
2725
"Potential code injection in $@, which may be controlled by an external user ($@).", sink,
2826
sink.getNode().asExpr().(Expression).getRawExpression(), event, event.getName()
Collapse file

‎actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql‎

Copy file name to clipboardExpand all lines: actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
+1-3Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -19,9 +19,7 @@ import codeql.actions.security.CodeInjectionQuery
1919
import CodeInjectionFlow::PathGraph
2020

2121
from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
22-
where
23-
CodeInjectionFlow::flowPath(source, sink) and
24-
mediumSeverity(source.getNode(), sink.getNode())
22+
where mediumSeverityCodeInjection(source, sink)
2523
select sink.getNode(), source, sink,
2624
"Potential code injection in $@, which may be controlled by an external user.", sink,
2725
sink.getNode().asExpr().(Expression).getRawExpression()

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.