From 38f00775bd87f6c1f27608dc23e072671c07cda5 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Fri, 25 Apr 2025 14:49:01 -0400
Subject: [PATCH 1/2] Exclude artifacts downloaded to runner temp.

---
 .../ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll  | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
index d8d5f83c867d..24e0f400e920 100644
--- a/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
@@ -262,8 +262,9 @@ class ArtifactPoisoningSink extends DataFlow::Node {
 
   ArtifactPoisoningSink() {
     download.getAFollowingStep() = poisonable and
-    // excluding artifacts downloaded to /tmp
+    // excluding artifacts downloaded to /tmp and runner.tmp
     not download.getPath().regexpMatch("^/tmp.*") and
+    not download.getPath().regexpMatch("^\${{\s?runner.temp\s?}}.*") and
     (
       poisonable.(Run).getScript() = this.asExpr() and
       (

From a9c4d6f383c68df3491fb6537519139aacee7681 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Fri, 25 Apr 2025 15:00:14 -0400
Subject: [PATCH 2/2] Fix escaping.

---
 .../ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
index 24e0f400e920..8c6471b3c580 100644
--- a/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
@@ -264,7 +264,7 @@ class ArtifactPoisoningSink extends DataFlow::Node {
     download.getAFollowingStep() = poisonable and
     // excluding artifacts downloaded to /tmp and runner.tmp
     not download.getPath().regexpMatch("^/tmp.*") and
-    not download.getPath().regexpMatch("^\${{\s?runner.temp\s?}}.*") and
+    not download.getPath().regexpMatch("^\\${{\\s?runner.temp\\s?}}.*") and
     (
       poisonable.(Run).getScript() = this.asExpr() and
       (

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/github/codeql/pull/19388.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/github/codeql/pull/19388.patch" target="_blank">pFad Proxy</a></p><p><a href="http://clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/github/codeql/pull/19388.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/github/codeql/pull/19388.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>