Merge pull request #97 from github/rasmuswl/avoid-duplicate-code-injection-alerts

Alvaro Muñoz · web-flow · commit 853fdf0d35f0 · 2024-10-01T11:47:41.000+02:00
Suppress `actions/cache-poisoning/code-injection` alerts covered by `actions/code-injection/critical`
diff --git a/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
@@ -30,7 +30,8 @@ where
     check.protects(source.getNode().asExpr(), event, "code-injection")
   ) and
   // excluding privileged workflows since they can be exploited in easier circumstances
-  not job.isPrivileged() and
+  // which is covered by `actions/code-injection/critical`
+  not job.isPrivilegedExternallyTriggerable(event) and
   (
     // the workflow runs in the context of the default branch
     runsOnDefaultBranch(event)
diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected
@@ -8,4 +8,3 @@ nodes
 subpaths
 #select
 | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} |
-| .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | ${{ steps.modified_files.outputs.files_modified }} |
