From 55d16e8781602f1e6542e3b4bd6d38c7d2250975 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Wed, 25 Mar 2026 10:58:16 +0100 Subject: [PATCH 1/3] Remove false-positive `command-injection` sink model for `step-security/harden-runner` The `allowed-endpoints` input only flows to `execFileSync("echo", [content])` (no shell) and `fs.writeFileSync` (JSON config), neither of which is a command injection vector. Fixes https://github.com/github/codeql/issues/21568 --- .../ql/lib/ext/manual/step-security_harden-runner.model.yml | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 actions/ql/lib/ext/manual/step-security_harden-runner.model.yml diff --git a/actions/ql/lib/ext/manual/step-security_harden-runner.model.yml b/actions/ql/lib/ext/manual/step-security_harden-runner.model.yml deleted file mode 100644 index 129c8beb0202..000000000000 --- a/actions/ql/lib/ext/manual/step-security_harden-runner.model.yml +++ /dev/null @@ -1,6 +0,0 @@ -extensions: - - addsTo: - pack: codeql/actions-all - extensible: actionsSinkModel - data: - - ["step-security/harden-runner", "*", "input.allowed-endpoints", "command-injection", "manual"] From e8075455913cfcfc05dfb02d882396c08ed24c8d Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Thu, 26 Mar 2026 09:08:34 +0100 Subject: [PATCH 2/3] Remove false positive `docker/build-push-action` `context` sink model The `context` input is passed as a single array element through `docker/actions-toolkit` and `@actions/exec` all the way to `child_process.spawn()`, which does not perform shell splitting. No code injection is possible. Fixes https://github.com/github/codeql/issues/21428 --- .../ql/lib/ext/manual/docker_build-push-action.model.yml | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 actions/ql/lib/ext/manual/docker_build-push-action.model.yml diff --git a/actions/ql/lib/ext/manual/docker_build-push-action.model.yml b/actions/ql/lib/ext/manual/docker_build-push-action.model.yml deleted file mode 100644 index 116c231c30a4..000000000000 --- a/actions/ql/lib/ext/manual/docker_build-push-action.model.yml +++ /dev/null @@ -1,6 +0,0 @@ -extensions: - - addsTo: - pack: codeql/actions-all - extensible: actionsSinkModel - data: - - ["docker/build-push-action", "*", "input.context", "code-injection", "manual"] \ No newline at end of file From e0bc18c22866b5808817754bd820d1da53478214 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Thu, 26 Mar 2026 09:11:25 +0100 Subject: [PATCH 3/3] Add changenote for false positive sink model removals --- .../change-notes/2026-03-26-remove-false-positive-sinks.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 actions/ql/lib/change-notes/2026-03-26-remove-false-positive-sinks.md diff --git a/actions/ql/lib/change-notes/2026-03-26-remove-false-positive-sinks.md b/actions/ql/lib/change-notes/2026-03-26-remove-false-positive-sinks.md new file mode 100644 index 000000000000..20ccc6d6c024 --- /dev/null +++ b/actions/ql/lib/change-notes/2026-03-26-remove-false-positive-sinks.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Removed false positive injection sink models for the `context` input of `docker/build-push-action` and the `allowed-endpoints` input of `step-security/harden-runner`.