Add extra source to actions CWE-094/CodeInjectionMedium

Author: knewbury01

actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql

@@ -18,6 +18,38 @@ import actions
 import codeql.actions.security.CodeInjectionQuery
 import CodeInjectionFlow::PathGraph
 
+/**
+ * A data flow source of user input from github context.
+ * eg: github.head_ref
+ * Usually only considered for pull_request_target where access to secrets
+ * and tokens is more available.
+ * However this query already finds all context events as sources regardless
+ * so this should be similar.
+ */
+class GitHubCtxSourceMediumLikely extends RemoteFlowSource {
+  string flag;
+  string event;
+
+  GitHubCtxSourceMediumLikely() {
+    exists(GitHubExpression e |
+      this.asExpr() = e and
+      // github.head_ref
+      e.getFieldName() = "head_ref" and
+      flag = "branch"
+    |
+      event = e.getATriggerEvent().getName() and
+      event = "pull_request"
+      or
+      not exists(e.getATriggerEvent()) and
+      event = "unknown"
+    )
+  }
+
+  override string getSourceType() { result = flag }
+
+  override string getEventName() { result = event }
+}
+
 from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
 where mediumSeverityCodeInjection(source, sink)
 select sink.getNode(), source, sink,

actions/ql/src/change-notes/2026-04-08-codeinjection-medium-sources.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added source type to `actions/code-injection/medium` such that now `github.head_ref` is found as source even on event `pull_request` (not just `pull_request_target`). This will result in the query finding more results.