diff --git a/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql b/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql index 8bc3fe8f51ad..100f9987c87d 100644 --- a/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql +++ b/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql @@ -18,6 +18,38 @@ import actions import codeql.actions.security.CodeInjectionQuery import CodeInjectionFlow::PathGraph +/** + * A data flow source of user input from github context. + * eg: github.head_ref + * Usually only considered for pull_request_target where access to secrets + * and tokens is more available. + * However this query already finds all context events as sources regardless + * so this should be similar. + */ +class GitHubCtxSourceMediumLikely extends RemoteFlowSource { + string flag; + string event; + + GitHubCtxSourceMediumLikely() { + exists(GitHubExpression e | + this.asExpr() = e and + // github.head_ref + e.getFieldName() = "head_ref" and + flag = "branch" + | + event = e.getATriggerEvent().getName() and + event = "pull_request" + or + not exists(e.getATriggerEvent()) and + event = "unknown" + ) + } + + override string getSourceType() { result = flag } + + override string getEventName() { result = event } +} + from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink where mediumSeverityCodeInjection(source, sink) select sink.getNode(), source, sink, diff --git a/actions/ql/src/change-notes/2026-04-08-codeinjection-medium-sources.md b/actions/ql/src/change-notes/2026-04-08-codeinjection-medium-sources.md new file mode 100644 index 000000000000..f2a0a5b8e47f --- /dev/null +++ b/actions/ql/src/change-notes/2026-04-08-codeinjection-medium-sources.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Added source type to `actions/code-injection/medium` such that now `github.head_ref` is found as source even on event `pull_request` (not just `pull_request_target`). This will result in the query finding more results. \ No newline at end of file