Commit 55d16e8

committed

Remove false-positive command-injection sink model for step-security/harden-runner

The `allowed-endpoints` input only flows to `execFileSync("echo", [content])` (no shell) and `fs.writeFileSync` (JSON config), neither of which is a command injection vector. Fixes #21568

1 parent 72534e8 commit 55d16e8Copy full SHA for 55d16e8

1 file changed

+0

-6

lines changed

actions/ql/lib/ext/manual
- step-security_harden-runner.model.yml

1 file changed

+0

-6

lines changed

`‎actions/ql/lib/ext/manual/step-security_harden-runner.model.yml‎`

This file was deleted.

Comments

(0)