forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathArtifactPoisoningCritical.ql
More file actions
25 lines (23 loc) · 911 Bytes
/
ArtifactPoisoningCritical.ql
File metadata and controls
25 lines (23 loc) · 911 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
/**
* @name Artifact poisoning
* @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps.
* @kind path-problem
* @problem.severity error
* @precision very-high
* @security-severity 9
* @id actions/artifact-poisoning/critical
* @tags actions
* security
* external/cwe/cwe-829
*/
import actions
import codeql.actions.security.ArtifactPoisoningQuery
import ArtifactPoisoningFlow::PathGraph
import codeql.actions.security.ControlChecks
from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sink, Event event
where
ArtifactPoisoningFlow::flowPath(source, sink) and
event = getRelevantEventInPrivilegedContext(sink.getNode())
select source.getNode(), source, sink,
"Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@).",
event, event.getName()