From 5d9fe3760e8ce8b9495d257cfac0107bf60e8568 Mon Sep 17 00:00:00 2001
From: Adam Korczynski <adam@adalogics.com>
Date: Wed, 23 Jul 2025 21:23:02 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20detect=20label=20names=20in=20da?=
 =?UTF-8?q?ngerous=20workflows?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Adam Korczynski <adam@adalogics.com>
---
 checks/raw/dangerous_workflow.go      |  1 +
 checks/raw/dangerous_workflow_test.go | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/checks/raw/dangerous_workflow.go b/checks/raw/dangerous_workflow.go
index a0970b59368..c00bdb56f6b 100644
--- a/checks/raw/dangerous_workflow.go
+++ b/checks/raw/dangerous_workflow.go
@@ -35,6 +35,7 @@ func containsUntrustedContextPattern(variable string) bool {
 			`issue\.body|` +
 			`pull_request\.title|` +
 			`pull_request\.body|` +
+			`labels\.[^.]+\.name|` +
 			`comment\.body|` +
 			`review\.body|` +
 			`review_comment\.body|` +
diff --git a/checks/raw/dangerous_workflow_test.go b/checks/raw/dangerous_workflow_test.go
index 5865d0538d0..39b201554f9 100644
--- a/checks/raw/dangerous_workflow_test.go
+++ b/checks/raw/dangerous_workflow_test.go
@@ -86,6 +86,16 @@ func TestUntrustedContextVariables(t *testing.T) {
 			variable: "github.event.commits[2].author.email",
 			expected: true,
 		},
+		{
+			name:     "PR label name",
+			variable: "github.event.pull_request.labels.foo.name",
+			expected: true,
+		},
+		{
+			name:     "PR label wildcard name",
+			variable: "github.event.pull_request.labels.*.name",
+			expected: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {