Class ArgumentInjectionFromEnvVarSink

Holds if a Run step declares an environment variable, uses it as the argument to a command vulnerable to argument injection. e.g. env: BODY: ${{ github.event.comment.body }} run: | sed “s/FOO/$BODY/g” > /tmp/foo

Import path

import codeql.actions.security.ArgumentInjectionQuery

Direct supertypes

ArgumentInjectionSink

Indirect supertypes

Node
TNode

Fields

command

Predicates

getCommand

Inherited predicates

asExpr		from Node
getLocation		from Node
hasLocationInfo	Holds if this element is at the specified location. The location spans column `startcolumn` of line `startline` to column `endcolumn` of line `endline` in file `filepath`. For more information, see Locations.	from Node
toString	Gets a textual representation of this element.	from Node

Charpred

ArgumentInjectionFromEnvVarSink