Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
codeql-action/queries/import-action-entrypoint.ql
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * @name Import action entrypoint | |
| * @description Importing the entrypoint file for an action is dangerous | |
| * because the code from that action will be run when the file is imported. | |
| * @kind problem | |
| * @problem.severity error | |
| * @id javascript/codeql-action/import-action-entrypoint | |
| */ | |
| import javascript | |
| class ActionEntrypointFile extends File { | |
| ActionEntrypointFile() { | |
| exists(Module m | m.getPath() = this.getAbsolutePath() and | |
| // This is quite a broad check and relies on the function name, but hopefully it'll be accurate enough | |
| m.getAStmt().getAChildExpr+().(CallExpr).getCalleeName() = "run") and | |
| // Requiring the relative path to exist limits us to files in the code repository and avoid libraries | |
| exists(this.getRelativePath()) | |
| } | |
| } | |
| from ImportDeclaration i | |
| where exists(ActionEntrypointFile f | i.getImportedModule().getPath() = f.getAbsolutePath()) | |
| select i, "This imports the entrypoint file for an action. This will execute the code from the action." |