github · knewbury01 · Apr 8, 2026 · Copilot · Apr 8, 2026 · Copilot
@@ -18,6 +18,38 @@ import actions
 import codeql.actions.security.CodeInjectionQuery
 import CodeInjectionFlow::PathGraph
 
+/**
+ * A data flow source of user input from github context.
+ * eg: github.head_ref
+ * Usually only considered for pull_request_target where access to secrets
+ * and tokens is more available.
+ * However this query already finds all context events as sources regardless
- * A data flow source of user input from github context.
- * eg: github.head_ref
- * Usually only considered for pull_request_target where access to secrets
- * and tokens is more available.
- * However this query already finds all context events as sources regardless
+ * A data flow source of user input from GitHub context.
+ * e.g.: `github.head_ref`
+ * Usually only considered for `pull_request_target` where access to secrets
+ * and tokens is more available.
+ * However this query already finds all context events as sources regardless,
- * A data flow source of user input from github context.
- * eg: github.head_ref
- * Usually only considered for pull_request_target where access to secrets
- * and tokens is more available.
- * However this query already finds all context events as sources regardless
+ * A data flow source of user input from GitHub context.
+ * e.g.: `github.head_ref`
+ * Usually only considered for `pull_request_target` where access to secrets
+ * and tokens is more available.
+ * However this query already finds all context events as sources regardless,
+ * so this should be similar.
+ */
+class GitHubCtxSourceMediumLikely extends RemoteFlowSource {
+  string flag;
+  string event;
+
+  GitHubCtxSourceMediumLikely() {
+    exists(GitHubExpression e |
+      this.asExpr() = e and
+      // github.head_ref
+      e.getFieldName() = "head_ref" and
+      flag = "branch"
+    |
+      event = e.getATriggerEvent().getName() and
+      event = "pull_request"
+      or
+      not exists(e.getATriggerEvent()) and
+      event = "unknown"
+    )
+  }
+
+  override string getSourceType() { result = flag }
+
+  override string getEventName() { result = event }
+}
+
 from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
 where mediumSeverityCodeInjection(source, sink)
 select sink.getNode(), source, sink,

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added source type to `actions/code-injection/medium` such that now `github.head_ref` is found as source even on event `pull_request` (not just `pull_request_target`). This will result in the query finding more results.
-* Added source type to `actions/code-injection/medium` such that now `github.head_ref` is found as source even on event `pull_request` (not just `pull_request_target`). This will result in the query finding more results.
+* Added a source type to `actions/code-injection/medium` so `github.head_ref` is now treated as a source on the `pull_request` event (not just `pull_request_target`). This will result in the query finding more results.
-* Added source type to `actions/code-injection/medium` such that now `github.head_ref` is found as source even on event `pull_request` (not just `pull_request_target`). This will result in the query finding more results.
+* Added a source type to `actions/code-injection/medium` so `github.head_ref` is now treated as a source on the `pull_request` event (not just `pull_request_target`). This will result in the query finding more results.