Merge pull request #35 from github/default_branch_name

Alvaro Muñoz · web-flow · commit d15dc68e43bb · 2024-05-15T17:57:25.000+02:00
diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll
@@ -3,10 +3,16 @@ private import codeql.actions.DataFlow
 private import actions
 
 predicate workflowDataModel(
-  string path, string visibility, string job, string secrets_source, string permissions,
+  string path, string trigger, string job, string secrets_source, string permissions,
   string runner
 ) {
-  Extensions::workflowDataModel(path, visibility, job, secrets_source, permissions, runner)
+  Extensions::workflowDataModel(path, trigger, job, secrets_source, permissions, runner)
+}
+
+predicate repositoryDataModel(
+  string visibility, string default_branch_name
+) {
+  Extensions::repositoryDataModel(visibility, default_branch_name)
 }
 
 /**
diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll
@@ -24,6 +24,10 @@ extensible predicate sinkModel(
 );
 
 extensible predicate workflowDataModel(
-  string path, string visibility, string job, string secrets_source, string permissions,
+  string path, string trigger, string job, string secrets_source, string permissions,
   string runner
 );
+
+extensible predicate repositoryDataModel(
+  string visibility, string default_branch_name
+);
diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll
@@ -1,4 +1,5 @@
 import actions
+import codeql.actions.dataflow.ExternalFlow
 
 string defaultBranchTriggerEvent() {
   result =
@@ -10,7 +11,17 @@ string defaultBranchTriggerEvent() {
     ]
 }
 
-string defaultBranchNames() { result = ["main", "master", "default"] }
+string defaultBranchNames() {
+  exists(string default_branch_name |
+    repositoryDataModel(_, default_branch_name) and
+    result = default_branch_name
+  )
+  or
+  not exists(string default_branch_name |
+    repositoryDataModel(_, default_branch_name)
+  ) and
+  result = ["main", "master"]
+}
 
 predicate runsOnDefaultBranch(Job j) {
   exists(Event e |
diff --git a/ql/lib/ext/workflow-models/workflow-models.yml b/ql/lib/ext/workflow-models/workflow-models.yml
@@ -1,4 +1,8 @@
 extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: repositoryDataModel
+    data: []
   - addsTo:
       pack: githubsecuritylab/actions-all
       extensible: workflowDataModel
diff --git a/ql/test/library-tests/workflowenum.ql b/ql/test/library-tests/workflowenum.ql
@@ -2,7 +2,7 @@ import actions
 import codeql.actions.dataflow.internal.ExternalFlowExtensions as Extensions
 
 from
-  string path, string visibility, string job, string secrets_source, string permissions,
+  string path, string trigger, string job, string secrets_source, string permissions,
   string runner
-where Extensions::workflowDataModel(path, visibility, job, secrets_source, permissions, runner)
-select visibility, path, job, secrets_source, permissions, runner
+where Extensions::workflowDataModel(path, trigger, job, secrets_source, permissions, runner)
+select trigger, path, job, secrets_source, permissions, runner
