From 0c442382f9bafd7d36a6feca5339f0986a510693 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Fri, 29 Jan 2021 00:07:29 +0200 Subject: [PATCH 1/2] Update pull_request_target.ql --- CodeQL_Queries/actions/pull_request_target.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CodeQL_Queries/actions/pull_request_target.ql b/CodeQL_Queries/actions/pull_request_target.ql index 42baa9b..28081dd 100644 --- a/CodeQL_Queries/actions/pull_request_target.ql +++ b/CodeQL_Queries/actions/pull_request_target.ql @@ -3,7 +3,7 @@ * @description Workflows triggered on `pull_request_target` have read/write tokens for the base repository and the access to secrets. * By explicitly checking out and running the build script from a fork the untrusted code is running in an environment * that is able to push to the base repository and to access secrets. - * @id java/actions/pull_request_target + * @id javascript/actions/pull_request_target * @kind problem * @problem.severity warning */ From b1463055fffb77e7d815444cad31b73785c2a47b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Fri, 29 Jan 2021 00:07:55 +0200 Subject: [PATCH 2/2] Update script_injections.ql --- CodeQL_Queries/actions/script_injections.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CodeQL_Queries/actions/script_injections.ql b/CodeQL_Queries/actions/script_injections.ql index 521b41c..bf67c40 100644 --- a/CodeQL_Queries/actions/script_injections.ql +++ b/CodeQL_Queries/actions/script_injections.ql @@ -2,7 +2,7 @@ * @name Command injection from user-controlled Actions context * @description Using user-controlled GitHub Actions contexts in a command line may allow a malicious * user to change the meaning of the command. - * @id java/actions/command-injection + * @id javascript/actions/command-injection * @kind problem * @problem.severity error */