Initial commit (from f5274cbdce4ae7c9e4b937dcdf95ac70ae436d5f)

2020-04-28 16:46:47 +02:00 · 2020-04-28 16:46:47 +02:00 · 28ccc3db2d
commit 28ccc3db2d
13974 changed files with 2618436 additions and 0 deletions
--- a/queries/import-action-entrypoint.ql
+++ b/queries/import-action-entrypoint.ql
@ -0,0 +1,24 @@
+/**
+ * @name Import action entrypoint
+ * @description Importing the entrpoint file for an action is dangerous
+ * because the code from that action will be run when the file is imported.
+ * @kind problem
+ * @problem.severity error
+ * @id javascript/codeql-action/import-action-entrypoint
+ */
+
+import javascript
+
+class ActionEntrypointFile extends File {
+  ActionEntrypointFile() {
+    exists(Module m | m.getPath() = this.getAbsolutePath() and
+       // This is quite a broad check and relies on the function name, but hopefully it'll be accurate enough
+       m.getAStmt().getAChildExpr+().(CallExpr).getCalleeName() = "run") and
+    // Requiring the relative path to exist limits us to files in the code repository and avoid libraries
+    exists(this.getRelativePath())
+  }
+}
+
+from ImportDeclaration i
+where exists(ActionEntrypointFile f | i.getImportedModule().getPath() = f.getAbsolutePath())
+select i, "This imports the entrypoint file for an action. This will execute the code from the action."
--- a/queries/qlpack.yml
+++ b/queries/qlpack.yml
@ -0,0 +1,4 @@
+name: codeql-action-custom-queries-javascript
+version: 0.0.0
+libraryPathDependencies: codeql-javascript
+