🐛 detect label names in dangerous workflows

Signed-off-by: Adam Korczynski <[email protected]>

Author: AdamKorcz

checks/raw/dangerous_workflow.go

@@ -35,6 +35,7 @@ func containsUntrustedContextPattern(variable string) bool {
 			`issue\.body|` +
 			`pull_request\.title|` +
 			`pull_request\.body|` +
+			`labels\.[^.]+\.name|` +
 			`comment\.body|` +
 			`review\.body|` +
 			`review_comment\.body|` +

checks/raw/dangerous_workflow_test.go

@@ -86,6 +86,16 @@ func TestUntrustedContextVariables(t *testing.T) {
 			variable: "github.event.commits[2].author.email",
 			expected: true,
 		},
+		{
+			name:     "PR label name",
+			variable: "github.event.pull_request.labels.foo.name",
+			expected: true,
+		},
+		{
+			name:     "PR label wildcard name",
+			variable: "github.event.pull_request.labels.*.name",
+			expected: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {