Merge pull request github#6649 from rhysd/discussion-untrusted-inputs

codeql-ci · web-flow · commit 0673355f3149 · 2021-09-10T01:44:54.000-07:00
Approved by erik-krogh
diff --git a/javascript/ql/src/experimental/Security/CWE-094/ExpressionInjection.ql b/javascript/ql/src/experimental/Security/CWE-094/ExpressionInjection.ql
@@ -65,6 +65,12 @@ private predicate isExternalUserControlledCommit(string context) {
   context.regexpMatch("\\bgithub\\s*\\.\\s*head_ref\\b")
 }
 
+bindingset[context]
+private predicate isExternalUserControlledDiscussion(string context) {
+  context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*discussion\\s*\\.\\s*title\\b") or
+  context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*discussion\\s*\\.\\s*body\\b")
+}
+
 from Actions::Run run, string context, Actions::On on
 where
   run.getAReferencedExpression() = context and
@@ -87,6 +93,9 @@ where
     or
     exists(on.getNode("pull_request_target")) and
     isExternalUserControlledCommit(context)
+    or
+    (exists(on.getNode("discussion")) or exists(on.getNode("discussion_comment"))) and
+    isExternalUserControlledDiscussion(context)
   )
 select run,
   "Potential injection from the " + context +
