Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
codeql-action/queries/default-setup-environment-variables.ql
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * @name Some environment variables may not exist in default setup workflows | |
| * @id javascript/codeql-action/default-setup-env-vars | |
| * @kind problem | |
| * @severity warning | |
| */ | |
| import javascript | |
| bindingset[envVar] | |
| predicate isSafeForDefaultSetup(string envVar) { | |
| // Ignore internal Code Scanning environment variables | |
| envVar.matches("CODE_SCANNING_%") or | |
| envVar.matches("CODEQL_%") or | |
| envVar.matches("CODESCANNING_%") or | |
| envVar.matches("LGTM_%") or | |
| // We flag up usage of potentially unsafe parts of the GitHub event in `default-setup-event-context.ql`. | |
| envVar = "GITHUB_EVENT_PATH" or | |
| // The following environment variables are known to be safe for use with default setup | |
| envVar = | |
| [ | |
| "GITHUB_ACTION_REF", "GITHUB_ACTION_REPOSITORY", "GITHUB_ACTOR", "GITHUB_API_URL", | |
| "GITHUB_BASE_REF", "GITHUB_EVENT_NAME", "GITHUB_JOB", "GITHUB_RUN_ATTEMPT", "GITHUB_RUN_ID", | |
| "GITHUB_SHA", "GITHUB_REPOSITORY", "GITHUB_SERVER_URL", "GITHUB_TOKEN", "GITHUB_WORKFLOW", | |
| "GITHUB_WORKSPACE", "GOFLAGS", "ImageVersion", "JAVA_TOOL_OPTIONS", "RUNNER_ARCH", | |
| "RUNNER_ENVIRONMENT", "RUNNER_NAME", "RUNNER_OS", "RUNNER_TEMP", "RUNNER_TOOL_CACHE" | |
| ] | |
| } | |
| predicate envVarRead(DataFlow::Node node, string envVar) { | |
| node = | |
| any(DataFlow::PropRead read | | |
| read = NodeJSLib::process().getAPropertyRead("env").getAPropertyRead() and | |
| envVar = read.getPropertyName() | |
| ) or | |
| node = | |
| any(DataFlow::CallNode call | | |
| call.getCalleeName().matches("get%EnvParam") and | |
| envVar = call.getArgument(0).getStringValue() | |
| ) | |
| } | |
| from DataFlow::Node read, string envVar | |
| where | |
| envVarRead(read, envVar) and | |
| not read.getFile().getBaseName().matches("%.test.ts") and | |
| not isSafeForDefaultSetup(envVar) | |
| select read, | |
| "The environment variable " + envVar + | |
| " may not exist in default setup workflows. If all uses are safe, add it to the list of " + | |
| "environment variables that are known to be safe in " + | |
| "'queries/default-setup-environment-variables.ql'. If this use is safe but others are not, " + | |
| "dismiss this alert as a false positive." |