From b1737858fa07cdcde9513bac72f738fee9a81dbf Mon Sep 17 00:00:00 2001 From: Marco Gario Date: Wed, 26 Mar 2025 12:49:48 +0000 Subject: [PATCH 1/3] UntrustedCheckout: Try and differentiate between two versions of the rule --- actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index c1d3729701d1..b004b26c603b 100644 --- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -1,5 +1,5 @@ /** - * @name Checkout of untrusted code in trusted context + * @name Checkout of untrusted code in trusted context with poisonable step * @description Privileged workflows have read/write access to the base repository and access to secrets. * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment * that is able to push to the base repository and to access secrets. From 288fcb60928710b975adaa61a034968955b60e2c Mon Sep 17 00:00:00 2001 From: Marco Gario Date: Wed, 26 Mar 2025 15:53:20 +0100 Subject: [PATCH 2/3] Update CWE-829 description for clarity --- actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index b004b26c603b..90feab533a47 100644 --- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -1,5 +1,5 @@ /** - * @name Checkout of untrusted code in trusted context with poisonable step + * @name Checkout of untrusted code in priviledged context * @description Privileged workflows have read/write access to the base repository and access to secrets. * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment * that is able to push to the base repository and to access secrets. From 8737acb6a95715602f92a4699421cc1c61770cfe Mon Sep 17 00:00:00 2001 From: Marco Gario Date: Mon, 31 Mar 2025 20:42:03 +0200 Subject: [PATCH 3/3] Update actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql Co-authored-by: Andrew Eisenberg --- actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql index 90feab533a47..9676e942f7ce 100644 --- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql +++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql @@ -1,5 +1,5 @@ /** - * @name Checkout of untrusted code in priviledged context + * @name Checkout of untrusted code in a priviledged context * @description Privileged workflows have read/write access to the base repository and access to secrets. * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment * that is able to push to the base repository and to access secrets.