Actions: ArtifactPoisoning

d10c · d10c · commit aa9fab3f67d7 · 2025-07-03T14:59:26.000+02:00
diff --git a/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
@@ -4,6 +4,7 @@ import codeql.actions.DataFlow
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.security.PoisonableSteps
 import codeql.actions.security.UntrustedCheckoutQuery
+import codeql.actions.security.ControlChecks
 
 string unzipRegexp() { result = "(unzip|tar)\\s+.*" }
 
@@ -317,8 +318,17 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig {
     )
   }
 
-  predicate observeDiffInformedIncrementalMode() {
-    any() // TODO: Make sure that the location overrides match the query's select clause: Column 7 does not select a source or sink originating from the flow call on line 21 (/Users/d10c/src/semmle-code/ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql@28:30:28:34)
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getLocation()
+    or
+    exists(Event event | result = event.getLocation() |
+      inPrivilegedContext(sink.asExpr(), event) and
+      not exists(ControlCheck check | check.protects(sink.asExpr(), event, "artifact-poisoning"))
+    )
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@ import codeql.actions.DataFlow`
`4`	`4`	`import codeql.actions.dataflow.FlowSources`
`5`	`5`	`import codeql.actions.security.PoisonableSteps`
`6`	`6`	`import codeql.actions.security.UntrustedCheckoutQuery`
	`7`	`+import codeql.actions.security.ControlChecks`
`7`	`8`
`8`	`9`	`string unzipRegexp() { result = "(unzip\|tar)\\s+.*" }`
`9`	`10`
`@@ -317,8 +318,17 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig {`
`317`	`318`	`)`
`318`	`319`	`}`
`319`	`320`
`320`		`- predicate observeDiffInformedIncrementalMode() {`
`321`		`- any() // TODO: Make sure that the location overrides match the query's select clause: Column 7 does not select a source or sink originating from the flow call on line 21 (/Users/d10c/src/semmle-code/ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql@28:30:28:34)`
	`321`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
	`322`	`+`
	`323`	`+ Location getASelectedSourceLocation(DataFlow::Node source) { none() }`
	`324`	`+`
	`325`	`+ Location getASelectedSinkLocation(DataFlow::Node sink) {`
	`326`	`+ result = sink.getLocation()`
	`327`	`+ or`
	`328`	`+ exists(Event event \| result = event.getLocation() \|`
	`329`	`+ inPrivilegedContext(sink.asExpr(), event) and`
	`330`	`+ not exists(ControlCheck check \| check.protects(sink.asExpr(), event, "artifact-poisoning"))`
	`331`	`+ )`
`322`	`332`	`}`
`323`	`333`	`}`
`324`	`334`