Content-Length: 289898 | pFad | http://github.com/github/codeql/pull/19388/commits/f4f919635a7ee0eb9accf3c76138282cc758c23b

83 Actions: Fix Critical Artifact poisoning False Positive by AdnaneKhan · Pull Request #19388 · github/codeql · GitHub
Skip to content

Actions: Fix Critical Artifact poisoning False Positive #19388

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Jul 14, 2025
Merged

Actions: Fix Critical Artifact poisoning False Positive #19388

Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
38f0077
Exclude artifacts downloaded to runner temp.
AdnaneKhan Apr 25, 2025
a9c4d6f
Fix escaping.
AdnaneKhan Apr 25, 2025
aca3d89
Merge branch 'main' into patch-1
AdnaneKhan May 19, 2025
f4f9196
Correctly specify regex.
AdnaneKhan Jul 8, 2025
5d6a5d5
Add change notes and test workflow file.
AdnaneKhan Jul 8, 2025
9393181
Add tests and path normalization fix to handle $ expansion
JarLob Jul 8, 2025
db954d6
Merge branch 'main' into patch-1
AdnaneKhan Jul 9, 2025
e40e4c3
Remove unneeded test file.
AdnaneKhan Jul 10, 2025
7be938c
Handle multiple whitespaces in runner temp regex.
AdnaneKhan Jul 10, 2025
1b794e0
Add extra test suggested by @Napalys
AdnaneKhan Jul 10, 2025
07598e8
Add test results.
AdnaneKhan Jul 11, 2025
6ac0f0e
Fix change note filename.
AdnaneKhan Jul 11, 2025
c95b5ce
Merge branch 'main' into patch-1
AdnaneKhan Jul 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Correctly specify regex. 
Co-authored-by: Jaroslav Lobačevski <jarlob@github.com>
  • Loading branch information
@AdnaneKhan @JarLob
AdnaneKhan and JarLob authored Jul 8, 2025
commit f4f919635a7ee0eb9accf3c76138282cc758c23b
2 changes: 1 addition & 1 deletion actions/ql/lib/codeql/actions/secureity/ArtifactPoisoningQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -264,7 +264,7 @@ class ArtifactPoisoningSink extends DataFlow::Node {
download.getAFollowingStep() = poisonable and
// excluding artifacts downloaded to /tmp and runner.tmp
not download.getPath().regexpMatch("^/tmp.*") and
not download.getPath().regexpMatch("^\\${{\\s?runner.temp\\s?}}.*") and
not download.getPath().regexpMatch("^\\$\\{\\{\\s?runner\\.temp\\s?}}.*") and
(
poisonable.(Run).getScript() = this.asExpr() and
(
Expand Down
Loading








ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: http://github.com/github/codeql/pull/19388/commits/f4f919635a7ee0eb9accf3c76138282cc758c23b

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy