Skip to content

Actions Query Fix: UntrustedCheckoutTOCTOU[High|Critical] ControlCheck model fix#22154

Open
knewbury01 wants to merge 1 commit into
github:mainfrom
knewbury01:knewbury01/adjust-environmentcheck
Open

Actions Query Fix: UntrustedCheckoutTOCTOU[High|Critical] ControlCheck model fix#22154
knewbury01 wants to merge 1 commit into
github:mainfrom
knewbury01:knewbury01/adjust-environmentcheck

Conversation

@knewbury01

@knewbury01 knewbury01 commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Add UntrustedCheckoutTOCTOUHigh and UntrustedCheckoutTOCTOUCritical use of ControlCheck model fix

currently EnvironmentCheck has a doc that mentions that environment requirements are not sufficient to prevent mutation attacks bc mutation could still occur after the env check is satisfied. the modelling however still considered that check to suffice when it is an attacker condition , which is incorrect. that check should not suffice ever, for toctou category

the example of bad usage in the helpfile for these vuln types and also one of the testcases demonstrated the above, and were previously not detected. With this change, these cases are now detected.

Perhaps in this PR it would be good to review if any other check types have this issue

@knewbury01 knewbury01 requested a review from a team as a code owner July 9, 2026 21:12
Copilot AI review requested due to automatic review settings July 9, 2026 21:12
@github-actions github-actions Bot added the Actions Analysis of GitHub Actions label Jul 9, 2026
@knewbury01 knewbury01 changed the title Add UntrustedCheckoutTOCTOUX ControlCheck model fix Actions Query Fix: UntrustedCheckoutTOCTOU[High|Critical ControlCheck model fix Jul 9, 2026
@knewbury01 knewbury01 changed the title Actions Query Fix: UntrustedCheckoutTOCTOU[High|Critical ControlCheck model fix Actions Query Fix: UntrustedCheckoutTOCTOU[High|Critical] ControlCheck model fix Jul 9, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Actions TOCTOU (“untrusted checkout”) modeling so that deployment environment approvals (EnvironmentCheck / “environment protection rules”) no longer count as sufficient protection for TOCTOU-category findings, matching the documented limitation that an attacker can mutate the checked-out ref after the environment gate.

Changes:

  • Tighten EnvironmentCheck.protectsCategoryAndEvent so it only applies to non_toctou_category() (for both attacker and non-attacker event variants).
  • Update the UntrustedCheckoutTOCTOUCritical test expected output to include newly-detected findings in deployment1.yml.
  • Minor formatting adjustment in UntrustedCheckoutTOCTOUCritical.ql (no apparent semantic change).
Show a summary per file
File Description
actions/ql/lib/codeql/actions/security/ControlChecks.qll Adjusts the EnvironmentCheck protection predicate to exclude TOCTOU categories.
actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql Minor formatting change around the privileged-context clause.
actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected Updates expected results to reflect new detections (adds deployment1.yml edges).

Review details

  • Files reviewed: 3/3 changed files
  • Comments generated: 0
  • Review effort level: Low

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Actions Analysis of GitHub Actions

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants