Skip to content

Add extra source to actions CWE-094/CodeInjectionMedium#21672

Open
knewbury01 wants to merge 1 commit intogithub:mainfrom
knewbury01:knewbury01/adjust-actions-queries-code-injection-medium
Open

Add extra source to actions CWE-094/CodeInjectionMedium#21672
knewbury01 wants to merge 1 commit intogithub:mainfrom
knewbury01:knewbury01/adjust-actions-queries-code-injection-medium

Conversation

@knewbury01
Copy link
Copy Markdown
Contributor

@knewbury01 knewbury01 commented Apr 8, 2026

since all the context event sources are considered by this query (regardless of trigger event) then context sources should also be, otherwise we get reporting inconsistency as follow:

on: pull_request
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - run: echo "${{ github.event.pull_request.head.ref }}" //reported

vs

on: pull_request
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - run: echo "${{ github.head_ref }}" //not reported

only made this change for the medium level query, since it does also make some sense to consider trigger event.

@knewbury01 knewbury01 self-assigned this Apr 8, 2026
@knewbury01 knewbury01 requested a review from a team as a code owner April 8, 2026 16:04
Copilot AI review requested due to automatic review settings April 8, 2026 16:04
@github-actions github-actions bot added documentation Actions Analysis of GitHub Actions labels Apr 8, 2026
Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aligns the actions/code-injection/medium query’s behavior with existing context-event source handling by also treating github.head_ref as a source on pull_request, reducing reporting inconsistencies between equivalent GitHub context expressions.

Changes:

  • Added a new RemoteFlowSource in the medium code injection query to model github.head_ref for the pull_request event.
  • Added a change note documenting the expected increase in results for actions/code-injection/medium.
Show a summary per file
File Description
actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql Introduces a new GitHub-context-based source specific to the medium query.
actions/ql/src/change-notes/2026-04-08-codeinjection-medium-sources.md Documents the new source behavior and the resulting increase in findings.

Copilot's findings

  • Files reviewed: 2/2 changed files
  • Comments generated: 2

actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
Comment on lines +22 to +26
* A data flow source of user input from github context.
* eg: github.head_ref
* Usually only considered for pull_request_target where access to secrets
* and tokens is more available.
* However this query already finds all context events as sources regardless
Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new doc comment has a few wording/capitalization issues: "github" should be capitalized as "GitHub", and "eg" should be "e.g.". Consider also backticking event/context identifiers (for example github.head_ref, pull_request_target) to improve readability.

Suggested change
* A data flow source of user input from github context.
* eg: github.head_ref
* Usually only considered for pull_request_target where access to secrets
* and tokens is more available.
* However this query already finds all context events as sources regardless
* A data flow source of user input from GitHub context.
* e.g.: `github.head_ref`
* Usually only considered for `pull_request_target` where access to secrets
* and tokens is more available.
* However this query already finds all context events as sources regardless,

Copilot uses AI. Check for mistakes.
actions/ql/src/change-notes/2026-04-08-codeinjection-medium-sources.md
---
category: minorAnalysis
---
* Added source type to `actions/code-injection/medium` such that now `github.head_ref` is found as source even on event `pull_request` (not just `pull_request_target`). This will result in the query finding more results. No newline at end of file
Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change note sentence is a bit ungrammatical/awkward ("such that now", "found as source", "on event"). Consider rephrasing to something like "...so github.head_ref is now treated as a source on the pull_request event (not just pull_request_target)" for clarity.

Suggested change
* Added source type to `actions/code-injection/medium` such that now `github.head_ref` is found as source even on event `pull_request` (not just `pull_request_target`). This will result in the query finding more results.
* Added a source type to `actions/code-injection/medium` so `github.head_ref` is now treated as a source on the `pull_request` event (not just `pull_request_target`). This will result in the query finding more results.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@knewbury01 knewbury01

Labels

Actions Analysis of GitHub Actions documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@knewbury01