Skip to content

UntrustedCheckout: Try and differentiate between two versions of the query#19127

Merged
marcogario merged 4 commits intomainfrom
marcogario/untrusted_checkout_name
Apr 1, 2025
Merged

UntrustedCheckout: Try and differentiate between two versions of the query#19127
marcogario merged 4 commits intomainfrom
marcogario/untrusted_checkout_name

Conversation

@marcogario
Copy link
Copy Markdown
Contributor

@marcogario marcogario commented Mar 26, 2025

We have two versions of the query UntrustedCheckout with different severity (High and Critical) due to the difference in precision.
When generating the docs for these rules, it is confusing to see the same name.

I wanted to simply add High and Critical to the name, but then noticed that in the query itself we seem to provide a justification of why one is higher precision. Specifically, we say that we know that there is a poisonable step.

Therefore, I've updated the name to include this bit and make it possible to distinguish the two.

I am not sure this is the best solution and I could not really find prior art on this situation.

Copilot AI review requested due to automatic review settings March 26, 2025 12:54
@marcogario marcogario requested a review from a team as a code owner March 26, 2025 12:54
Copilot AI reviewed Mar 26, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

Files not reviewed (1)
  • actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql: Language not supported

Tip: Copilot code review supports C#, Go, Java, JavaScript, Markdown, Python, Ruby and TypeScript, with more languages coming soon. Learn more

@github-actions github-actions bot added the Actions Analysis of GitHub Actions label Mar 26, 2025
@adityasharad
Copy link
Copy Markdown
Collaborator

adityasharad commented Mar 26, 2025

For other queries @yoff and I went with "in a privileged context" as the distinguishing factor. I think that continues to make sense here.

@marcogario marcogario added the no-change-note-required This PR does not need a change note label Mar 26, 2025
aeisenberg
aeisenberg reviewed Mar 31, 2025
View reviewed changes
@marcogario @aeisenberg
Update actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
8737acb 
Co-authored-by: Andrew Eisenberg <aeisenberg@github.com>
@oscarsj oscarsj added Actions Analysis of GitHub Actions and removed Actions Analysis of GitHub Actions labels Apr 1, 2025
@marcogario marcogario merged commit 3652d6f into main Apr 1, 2025
15 checks passed
@marcogario marcogario deleted the marcogario/untrusted_checkout_name branch April 1, 2025 08:56
@marcogario marcogario mentioned this pull request Apr 1, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tausbn tausbn tausbn left review comments

Copilot code review Copilot Copilot left review comments

@aeisenberg aeisenberg aeisenberg approved these changes

Assignees

No one assigned

Labels

Actions Analysis of GitHub Actions no-change-note-required This PR does not need a change note

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@marcogario @adityasharad @aeisenberg @tausbn @oscarsj