Update actions/ql/lib/codeql/actions/Bash.qll

JarLob · asgerf · web-flow · commit 9521467a06b3 · 2025-01-24T12:59:41.000+01:00
Co-authored-by: Asger F &lt;asgerf@github.com&gt;
diff --git a/actions/ql/lib/codeql/actions/Bash.qll b/actions/ql/lib/codeql/actions/Bash.qll
@@ -699,13 +699,13 @@ module Bash {
       // VAR2=$(cmd)
       // VAR3=$VAR2
       // echo "FIELD=${VAR3:-default}" >> $GITHUB_ENV (field, file_write_value)
+      containsCmdSubstitution(value2, cmd) and
       script.getAnAssignment(var2, value2) and
+      containsParameterExpansion(value3, var2, _, _) and
       script.getAnAssignment(var3, value3) and
+      containsParameterExpansion(expr, var3, _, _) and
       not varMatchesRegexTest(script, var2, alphaNumericRegex()) and
-      not varMatchesRegexTest(script, var3, alphaNumericRegex()) and
-      containsCmdSubstitution(value2, cmd) and
-      containsParameterExpansion(value3, var2, _, _) and
-      containsParameterExpansion(expr, var3, _, _)
+      not varMatchesRegexTest(script, var3, alphaNumericRegex())
     )
     or
     // var reaches the file write directly
