github
diff --git a/‎actions/ql/lib/change-notes/2025-01-07-trusted-owner-ext.md
Lines changed: 4 additions & 0 deletions b/‎actions/ql/lib/change-notes/2025-01-07-trusted-owner-ext.md
Lines changed: 4 additions & 0 deletions
diff --git a/‎actions/ql/lib/codeql/actions/Bash.qll
Lines changed: 3 additions & 1 deletion b/‎actions/ql/lib/codeql/actions/Bash.qll
Lines changed: 3 additions & 1 deletion
diff --git a/‎actions/ql/lib/codeql/actions/config/Config.qll
Lines changed: 9 additions & 0 deletions b/‎actions/ql/lib/codeql/actions/config/Config.qll
Lines changed: 9 additions & 0 deletions
diff --git a/‎actions/ql/lib/codeql/actions/config/ConfigExtensions.qll
Lines changed: 5 additions & 0 deletions b/‎actions/ql/lib/codeql/actions/config/ConfigExtensions.qll
Lines changed: 5 additions & 0 deletions
diff --git a/‎actions/ql/lib/ext/config/trusted_actions_owner.yml
Lines changed: 8 additions & 0 deletions b/‎actions/ql/lib/ext/config/trusted_actions_owner.yml
Lines changed: 8 additions & 0 deletions
diff --git a/‎actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
Lines changed: 2 additions & 2 deletions b/‎actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
Lines changed: 2 additions & 2 deletions
diff --git a/‎actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
Lines changed: 2 additions & 2 deletions b/‎actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
Lines changed: 2 additions & 2 deletions
diff --git a/‎actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
Lines changed: 2 additions & 1 deletion b/‎actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
Lines changed: 2 additions & 1 deletion
diff --git a/‎actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
Lines changed: 2 additions & 1 deletion b/‎actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
Lines changed: 2 additions & 1 deletion
diff --git a/‎actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
Lines changed: 2 additions & 2 deletions b/‎actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
Lines changed: 2 additions & 2 deletions
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).
@@ -81,7 +81,9 @@ class BashShellScript extends ShellScript {
           "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +
             quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
       )
-    )
+    ) and
+    // Only do this for strings that might otherwise disrupt subsequent parsing
+    quotedStr.regexpMatch("[\"'].*[$\n\r'\"" + Bash::separator() + "].*[\"']")
   }
 
   private predicate rankedQuotedStringReplacements(int i, string old, string new) {
 
@@ -126,6 +126,15 @@ predicate vulnerableActionsDataModel(
  */
 predicate immutableActionsDataModel(string action) { Extensions::immutableActionsDataModel(action) }
 
+/**
+ * MaD models for trusted actions owners
+ * Fields:
+ *    - owner: owner name
+ */
+predicate trustedActionsOwnerDataModel(string owner) {
+  Extensions::trustedActionsOwnerDataModel(owner)
+}
+
 /**
  * MaD models for untrusted git commands
  * Fields:
 
@@ -63,6 +63,11 @@ extensible predicate vulnerableActionsDataModel(
  */
 extensible predicate immutableActionsDataModel(string action);
 
+/**
+ * Holds for trusted Actions owners.
+ */
+extensible predicate trustedActionsOwnerDataModel(string owner);
+
 /**
  * Holds for git commands that may introduce untrusted data when called on an attacker controlled branch.
  */
 
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo: 
+      pack: codeql/actions-all
+      extensible: trustedActionsOwnerDataModel
+    data:      
+      - ["actions"]
+      - ["github"]
+      - ["advanced-security"]
@@ -2,9 +2,9 @@
  * @name PATH Enviroment Variable built from user-controlled sources
  * @description Building the PATH environment variable from user-controlled sources may alter the execution of following system commands
  * @kind path-problem
- * @problem.severity warning
+ * @problem.severity error
  * @security-severity 5.0
- * @precision high
+ * @precision medium
  * @id actions/envpath-injection/medium
  * @tags actions
  *       security
 
@@ -2,9 +2,9 @@
  * @name Enviroment Variable built from user-controlled sources
  * @description Building an environment variable from user-controlled sources may alter the execution of following system commands
  * @kind path-problem
- * @problem.severity warning
+ * @problem.severity error
  * @security-severity 5.0
- * @precision high
+ * @precision medium
  * @id actions/envvar-injection/medium
  * @tags actions
  *       security
 
@@ -3,11 +3,12 @@
  * @description Workflows should contain permissions to provide a clear understanding has permissions to run the workflow.
  * @kind problem
  * @security-severity 5.0
- * @problem.severity recommendation
+ * @problem.severity warning
  * @precision high
  * @id actions/missing-workflow-permissions
  * @tags actions
  *       maintainability
+ *       security
  *       external/cwe/cwe-275
  */
 
 
@@ -2,7 +2,8 @@
  * @name Excessive Secrets Exposure
  * @description All organization and repository secrets are passed to the workflow runner.
  * @kind problem
- * @problem.severity recommendation
+ * @precision high
+ * @problem.severity warning
  * @id actions/excessive-secrets-exposure
  * @tags actions
  *       security
 
@@ -2,8 +2,8 @@
  * @name Artifact poisoning
  * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps.
  * @kind path-problem
- * @problem.severity warning
- * @precision high
+ * @problem.severity error
+ * @precision medium
  * @security-severity 5.0
  * @id actions/artifact-poisoning/medium
  * @tags actions
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: feature
 +---
 +* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).
Original file line number	Diff line number	Diff line change
`@@ -81,7 +81,9 @@ class BashShellScript extends ShellScript {`
`81`	`81`	`"qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +`
`82`	`82`	`quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")`
`83`	`83`	`)`
`84`		`- )`
	`84`	`+ ) and`
	`85`	`+ // Only do this for strings that might otherwise disrupt subsequent parsing`
	`86`	`+ quotedStr.regexpMatch("[\"'].[$\n\r'\"" + Bash::separator() + "].[\"']")`
`85`	`87`	`}`
`86`	`88`
`87`	`89`	`private predicate rankedQuotedStringReplacements(int i, string old, string new) {`