Module EnvVarInjectionQuery
Import path
import codeql.actions.security.EnvVarInjectionQueryPredicates
| getRelevantArtifactEventInPrivilegedContext | Get the relevant event for a sink in EnvVarInjectionCritical.ql where the source type is “artifact”. |
| getRelevantNonArtifactEventInPrivilegedContext | Get the relevant event for a sink in EnvVarInjectionCritical.ql where the source type is not “artifact”. |
| sanitizerCommand |
Classes
| EnvVarInjectionFromCommandSink | Holds if a Run step executes a command that returns untrusted data which flows to GITHUB_ENV e.g. run: | COMMIT_MESSAGE=$(git log –format=%s) echo “COMMIT_MESSAGE=${COMMIT_MESSAGE}” >> $GITHUB_ENV |
| EnvVarInjectionFromEnvVarSink | Holds if a Run step declares an environment variable, uses it to declare env var. e.g. env: BODY: ${{ github.event.comment.body }} run: | echo “FOO=$BODY” >> $GITHUB_ENV |
| EnvVarInjectionFromFileReadSink | Holds if a Run step declares an environment variable with contents from a local file. |
| EnvVarInjectionFromMaDSink | Holds if a 3rd party action declares an environment variable with contents from an untrusted file. e.g. - name: Load .env file uses: aarcangeli/load-dotenv@v1.0.0 with: path: ‘backend/new’ filenames: | .env .env.test quiet: false if-file-not-found: error |
| EnvVarInjectionSink |
Aliases
| EnvVarInjectionFlow | Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. |