Permalink
May 11, 2023 19:22
May 11, 2023 19:22
May 12, 2023 19:35
May 11, 2023 19:22
August 7, 2023 17:29
May 11, 2023 19:22
May 11, 2023 19:22
Newer
100644
53 lines (49 sloc)
2.03 KB
Ignoring revisions in .git-blame-ignore-revs.
1
/**
2
* @name Some environment variables may not exist in default setup workflows
3
* @id javascript/codeql-action/default-setup-env-vars
4
* @kind problem
6
*/
7
8
import javascript
9
10
bindingset[envVar]
11
predicate isSafeForDefaultSetup(string envVar) {
12
// Ignore internal Code Scanning environment variables
13
envVar.matches("CODE_SCANNING_%") or
14
envVar.matches("CODEQL_%") or
15
envVar.matches("CODESCANNING_%") or
16
envVar.matches("LGTM_%") or
17
// We flag up usage of potentially unsafe parts of the GitHub event in `default-setup-event-context.ql`.
18
envVar = "GITHUB_EVENT_PATH" or
19
// The following environment variables are known to be safe for use with default setup
20
envVar =
21
[
22
"GITHUB_ACTION_REF", "GITHUB_ACTION_REPOSITORY", "GITHUB_ACTOR", "GITHUB_API_URL",
23
"GITHUB_BASE_REF", "GITHUB_EVENT_NAME", "GITHUB_JOB", "GITHUB_RUN_ATTEMPT", "GITHUB_RUN_ID",
24
"GITHUB_SHA", "GITHUB_REPOSITORY", "GITHUB_SERVER_URL", "GITHUB_TOKEN", "GITHUB_WORKFLOW",
25
"GITHUB_WORKSPACE", "GOFLAGS", "ImageVersion", "JAVA_TOOL_OPTIONS", "RUNNER_ARCH",
26
"RUNNER_NAME", "RUNNER_OS", "RUNNER_TEMP", "RUNNER_TOOL_CACHE"
27
]
28
}
29
30
predicate envVarRead(DataFlow::Node node, string envVar) {
31
node =
32
any(DataFlow::PropRead read |
33
read = NodeJSLib::process().getAPropertyRead("env").getAPropertyRead() and
34
envVar = read.getPropertyName()
35
) or
36
node =
37
any(DataFlow::CallNode call |
38
call.getCalleeName().matches("get%EnvParam") and
39
envVar = call.getArgument(0).getStringValue()
40
)
41
}
42
43
from DataFlow::Node read, string envVar
44
where
45
envVarRead(read, envVar) and
47
not isSafeForDefaultSetup(envVar)
48
select read,
49
"The environment variable " + envVar +
50
" may not exist in default setup workflows. If all uses are safe, add it to the list of " +
51
"environment variables that are known to be safe in " +
52
"'queries/default-setup-environment-variables.ql'. If this use is safe but others are not, " +
53
"dismiss this alert as a false positive."