Permalink
codeql-action/queries/import-action-entrypoint.ql
Newer
100644
24 lines (21 sloc)
1001 Bytes
Ignoring revisions in .git-blame-ignore-revs.
1
/**
2
* @name Import action entrypoint
3
* @description Importing the entrypoint file for an action is dangerous
4
* because the code from that action will be run when the file is imported.
5
* @kind problem
6
* @problem.severity error
7
* @id javascript/codeql-action/import-action-entrypoint
8
*/
9
10
import javascript
11
12
class ActionEntrypointFile extends File {
13
ActionEntrypointFile() {
14
exists(Module m | m.getPath() = this.getAbsolutePath() and
15
// This is quite a broad check and relies on the function name, but hopefully it'll be accurate enough
16
m.getAStmt().getAChildExpr+().(CallExpr).getCalleeName() = "run") and
17
// Requiring the relative path to exist limits us to files in the code repository and avoid libraries
18
exists(this.getRelativePath())
19
}
20
}
21
22
from ImportDeclaration i
23
where exists(ActionEntrypointFile f | i.getImportedModule().getPath() = f.getAbsolutePath())
24
select i, "This imports the entrypoint file for an action. This will execute the code from the action."