Create undeclared-action-input.ql #16
Conversation
queries/undeclared-action-input.ql
Outdated
| } | ||
|
|
||
| Expr getAFunctionChildExpr(Function f) { | ||
| result = f.getBody().getAChildStmt*().getAChildExpr*() |
There was a problem hiding this comment.
I'm not very knowlegeable about the javascript QL libraries so might need some help from the team. Perhaps @asgerf if you have a chance. Do the getAFunctionChildExpr and calledBy predicates look correct to you, or are they even necessary and maybe there's something in the library that can do this more easily?
There was a problem hiding this comment.
getContainer is probably what you're looking for:
| result = f.getBody().getAChildStmt*().getAChildExpr*() | |
| result.getContainer() = f |
There's a subtle difference there in how nested functions are handled, however (yours would include the body of arrow functions).
To handle nested functions, I'd also add this to calledBy:
Function calledBy(Function f) {
...
or
result.getEnclosingContainer() = f // assume outer function causes inner function to be called
}There was a problem hiding this comment.
Thanks. Didn't know about that predicate but that makes sense.
|
|
|
Queries still seem to work. It finds all the alerts that I expected it to. The "Code scanning / CodeQL" check is marked as red because this is "introducing" alerts, but this is fine and we've decided we want to fix them in separate PRs. |
Adds a new CodeQL query for detecting when we are referencing action input parameters (by
core.getInput(...)) from actions where those inputs are not defined. This can easily happen when code is reused between actions, and affects us more than most people because we have multiple actions in the same repo.The alerts are visible at https://github.com/github/codeql-action/security/code-scanning?query=ref%3Arefs%2Fheads%2Fundeclared-action-input
All the alerts appear to be true positives to me and it's found all the alerts I expected it to find.
(Here's a screenshot for posterity)
