False positive: Incorrect CodeQL model for step-security/harden-runner action

[XinyuZhangXvX]

The CodeQL model for step-security/harden-runner ([model file]) flags input.allowed-endpoints as flowing to a command injection sink.

However, examining the actual source code, the call is:

cp.execFileSync("echo", [content]);

This is not a command injection vulnerability because:

1. The first argument (the command) is a hardcoded string "echo" — it is not user-controlled.
2. execFileSync does not pass arguments through a shell by default. It invokes the executable directly via execvp, so shell metacharacters in content (e.g., ; rm -rf /, $(cmd), `cmd`) are treated as literal strings and passed as-is to the echo program.
3. The user-controlled input (content) only flows into the argument array (the second parameter), which cannot cause command injection without shell: true being set in the options.

Therefore, this is a false positive — the tainted data does not reach a position where it can alter which command is executed or be interpreted by a shell.

[redsun82]

👋 @XinyuZhangXvX thanks for the report, what you say makes sense. We'll be tracking this internally, but please be aware it might take some time before we get to this.

[redsun82]

actually, after having a bit of a look, it really seems that whole model file is pointless, and the easy fix is to remove it. I've opened #21574 for it.