/** * @name Some environment variables may not exist in default setup workflows * @id javascript/codeql-action/default-setup-env-vars * @kind problem * @severity warning */ import javascript bindingset[envVar] predicate isSafeForDefaultSetup(string envVar) { // Ignore internal Code Scanning environment variables envVar.matches("CODE_SCANNING_%") or envVar.matches("CODEQL_%") or envVar.matches("CODESCANNING_%") or envVar.matches("LGTM_%") or // We flag up usage of potentially unsafe parts of the GitHub event in `default-setup-event-context.ql`. envVar = "GITHUB_EVENT_PATH" or // The following environment variables are known to be safe for use with default setup envVar = [ "GITHUB_ACTION_REF", "GITHUB_ACTION_REPOSITORY", "GITHUB_ACTOR", "GITHUB_API_URL", "GITHUB_BASE_REF", "GITHUB_EVENT_NAME", "GITHUB_JOB", "GITHUB_RUN_ATTEMPT", "GITHUB_RUN_ID", "GITHUB_SHA", "GITHUB_REPOSITORY", "GITHUB_SERVER_URL", "GITHUB_TOKEN", "GITHUB_WORKFLOW", "GITHUB_WORKSPACE", "GOFLAGS", "JAVA_TOOL_OPTIONS", "RUNNER_ARCH", "RUNNER_NAME", "RUNNER_OS", "RUNNER_TEMP", "RUNNER_TOOL_CACHE" ] } predicate envVarRead(DataFlow::Node node, string envVar) { node = any(DataFlow::PropRead read | read = NodeJSLib::process().getAPropertyRead("env").getAPropertyRead() and envVar = read.getPropertyName() ) or node = any(DataFlow::CallNode call | call.getCalleeName().matches("get%EnvParam") and envVar = call.getArgument(0).getStringValue() ) } from DataFlow::Node read, string envVar where envVarRead(read, envVar) and not isSafeForDefaultSetup(envVar) select read, "The environment variable " + envVar + " may not exist in default setup workflows. If all uses are safe, add it to the list of " + "environment variables that are known to be safe in " + "'queries/default-setup-environment-variables.ql'. If this use is safe but others are not, " + "dismiss this alert as a false positive."