25 строки
1001 B
Plaintext
25 строки
1001 B
Plaintext
/**
|
|
* @name Import action entrypoint
|
|
* @description Importing the entrypoint file for an action is dangerous
|
|
* because the code from that action will be run when the file is imported.
|
|
* @kind problem
|
|
* @problem.severity error
|
|
* @id javascript/codeql-action/import-action-entrypoint
|
|
*/
|
|
|
|
import javascript
|
|
|
|
class ActionEntrypointFile extends File {
|
|
ActionEntrypointFile() {
|
|
exists(Module m | m.getPath() = this.getAbsolutePath() and
|
|
// This is quite a broad check and relies on the function name, but hopefully it'll be accurate enough
|
|
m.getAStmt().getAChildExpr+().(CallExpr).getCalleeName() = "run") and
|
|
// Requiring the relative path to exist limits us to files in the code repository and avoid libraries
|
|
exists(this.getRelativePath())
|
|
}
|
|
}
|
|
|
|
from ImportDeclaration i
|
|
where exists(ActionEntrypointFile f | i.getImportedModule().getPath() = f.getAbsolutePath())
|
|
select i, "This imports the entrypoint file for an action. This will execute the code from the action."
|