From b4d142e980d9fc2e954848855f14f12c26555d4d Mon Sep 17 00:00:00 2001
From: Robert Brignull <robertbrignull@gmail.com>
Date: Tue, 1 Sep 2020 14:16:04 +0100
Subject: [PATCH] whitelist @actions/exec/lib/toolrunner

---
 queries/unguarded-action-lib.ql | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/queries/unguarded-action-lib.ql b/queries/unguarded-action-lib.ql
index feb0b7db9..486bac1e8 100644
--- a/queries/unguarded-action-lib.ql
+++ b/queries/unguarded-action-lib.ql
@@ -12,11 +12,11 @@ import javascript
  * Although these libraries are designed for use on actions they
  * have been deemed safe to use outside of actions as well.
  */
-class SafeActionLibs extends string {
-  SafeActionLibs() {
-    this = "@actions/http-client" or
-    this = "@actions/exec"
-  }
+bindingset[lib]
+predicate isSafeActionLib(string lib) {
+  lib = "@actions/http-client" or
+  lib = "@actions/exec" or
+  lib.matches("@actions/exec/%")
 }
 
 /**
@@ -26,7 +26,7 @@ class SafeActionLibs extends string {
 class ActionsLibImport extends ImportDeclaration {
   ActionsLibImport() {
     getImportedPath().getValue().matches("@actions/%") and
-    not getImportedPath().getValue() instanceof SafeActionLibs
+    not isSafeActionLib(getImportedPath().getValue())
   }
 
   string getName() {