mirror of
https://github.com/github/codeql.git
synced 2026-05-05 21:55:19 +02:00
Add poisonable step for pip install .
This commit is contained in:
Alvaro Muñoz
@@ -41,9 +41,9 @@ extensions:
|
||||
- ["pre-commit"]
|
||||
- ["prettier"]
|
||||
- ["phpstan"]
|
||||
- ["pip\\s+install\\s+-r"]
|
||||
- ["pip\\s+install\\s+--requirement"]
|
||||
- ["pipx\\s+install\\s+\\."]
|
||||
- ["pip\\s+install(.*)\\s+-r"]
|
||||
- ["pip\\s+install(.*)\\s+--requirement"]
|
||||
- ["pip(x)?\\s+install(.*)\\s+\\."]
|
||||
- ["poetry"]
|
||||
- ["pylint"]
|
||||
- ["pytest"]
|
||||
|
||||
52
ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml
vendored
Normal file
52
ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml
vendored
Normal file
@@ -0,0 +1,52 @@
|
||||
name: Test WR
|
||||
|
||||
on:
|
||||
workflow_run:
|
||||
workflows:
|
||||
- Test
|
||||
types:
|
||||
- completed
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
pull-requests: write
|
||||
|
||||
jobs:
|
||||
setup:
|
||||
name: Setup
|
||||
runs-on: ubuntu-24.04
|
||||
outputs:
|
||||
github-sha: ${{ steps.get-sha.outputs.sha }}
|
||||
chart-version: ${{ steps.get-version.outputs.chart_version }}
|
||||
steps:
|
||||
- name: Get triggering event SHA
|
||||
id: get-sha
|
||||
run: |
|
||||
if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
|
||||
echo sha="${{ inputs.checkout_ref }}" >> $GITHUB_OUTPUT
|
||||
elif [[ "${{ github.event_name }}" == "workflow_run" ]]; then
|
||||
echo sha="${{ github.event.workflow_run.head_sha }}" >> $GITHUB_OUTPUT
|
||||
elif [[ "${{ github.event_name }}" == "push" ]]; then
|
||||
echo sha="${{ github.sha }}" >> $GITHUB_OUTPUT
|
||||
else
|
||||
echo "Invalid event type"
|
||||
exit 1
|
||||
fi
|
||||
- name: Checkout Source Code
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
persist-credentials: false
|
||||
ref: ${{ steps.get-sha.outputs.sha }}
|
||||
fetch-depth: 0
|
||||
- name: Get version
|
||||
id: get-version
|
||||
run: |
|
||||
echo "chart_version=$(<ERSION)" | tee -a $GITHUB_OUTPUT
|
||||
|
||||
push:
|
||||
name: Push
|
||||
runs-on: ubuntu-24.04
|
||||
needs: setup
|
||||
steps:
|
||||
- run: |
|
||||
echo ${{ needs.setup.outputs.chart-version }}
|
||||
@@ -206,6 +206,11 @@ edges
|
||||
| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | provenance | |
|
||||
| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | provenance | |
|
||||
| .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | provenance | |
|
||||
| .github/workflows/test27.yml:19:7:21:4 | Job outputs node [chart-version] | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | provenance | |
|
||||
| .github/workflows/test27.yml:20:23:20:68 | steps.get-version.outputs.chart_version | .github/workflows/test27.yml:19:7:21:4 | Job outputs node [chart-version] | provenance | |
|
||||
| .github/workflows/test27.yml:35:9:41:6 | Uses Step | .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n | provenance | Config |
|
||||
| .github/workflows/test27.yml:41:9:46:2 | Run Step: get-version [chart_version] | .github/workflows/test27.yml:20:23:20:68 | steps.get-version.outputs.chart_version | provenance | |
|
||||
| .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n | .github/workflows/test27.yml:41:9:46:2 | Run Step: get-version [chart_version] | provenance | |
|
||||
| .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | |
|
||||
| .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | |
|
||||
| .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | |
|
||||
@@ -602,6 +607,12 @@ nodes
|
||||
| .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | semmle.label | steps.read_issue_body.outputs.body |
|
||||
| .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | semmle.label | steps.parse.outputs.data |
|
||||
| .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | semmle.label | toJSON(steps.parse.outputs.data) |
|
||||
| .github/workflows/test27.yml:19:7:21:4 | Job outputs node [chart-version] | semmle.label | Job outputs node [chart-version] |
|
||||
| .github/workflows/test27.yml:20:23:20:68 | steps.get-version.outputs.chart_version | semmle.label | steps.get-version.outputs.chart_version |
|
||||
| .github/workflows/test27.yml:35:9:41:6 | Uses Step | semmle.label | Uses Step |
|
||||
| .github/workflows/test27.yml:41:9:46:2 | Run Step: get-version [chart_version] | semmle.label | Run Step: get-version [chart_version] |
|
||||
| .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n | semmle.label | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n |
|
||||
| .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | semmle.label | needs.setup.outputs.chart-version |
|
||||
| .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
|
||||
| .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 |
|
||||
| .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |
|
||||
@@ -784,6 +795,7 @@ subpaths
|
||||
| .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues |
|
||||
| .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch |
|
||||
| .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch |
|
||||
| .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | .github/workflows/test27.yml:35:9:41:6 | Uses Step | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | ${{ needs.setup.outputs.chart-version }} | .github/workflows/test27.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | .github/workflows/test.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/untrusted_checkout1.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run |
|
||||
|
||||
@@ -206,6 +206,11 @@ edges
|
||||
| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | provenance | |
|
||||
| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | provenance | |
|
||||
| .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | provenance | |
|
||||
| .github/workflows/test27.yml:19:7:21:4 | Job outputs node [chart-version] | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | provenance | |
|
||||
| .github/workflows/test27.yml:20:23:20:68 | steps.get-version.outputs.chart_version | .github/workflows/test27.yml:19:7:21:4 | Job outputs node [chart-version] | provenance | |
|
||||
| .github/workflows/test27.yml:35:9:41:6 | Uses Step | .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n | provenance | Config |
|
||||
| .github/workflows/test27.yml:41:9:46:2 | Run Step: get-version [chart_version] | .github/workflows/test27.yml:20:23:20:68 | steps.get-version.outputs.chart_version | provenance | |
|
||||
| .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n | .github/workflows/test27.yml:41:9:46:2 | Run Step: get-version [chart_version] | provenance | |
|
||||
| .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | |
|
||||
| .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | |
|
||||
| .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | |
|
||||
@@ -602,6 +607,12 @@ nodes
|
||||
| .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | semmle.label | steps.read_issue_body.outputs.body |
|
||||
| .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | semmle.label | steps.parse.outputs.data |
|
||||
| .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | semmle.label | toJSON(steps.parse.outputs.data) |
|
||||
| .github/workflows/test27.yml:19:7:21:4 | Job outputs node [chart-version] | semmle.label | Job outputs node [chart-version] |
|
||||
| .github/workflows/test27.yml:20:23:20:68 | steps.get-version.outputs.chart_version | semmle.label | steps.get-version.outputs.chart_version |
|
||||
| .github/workflows/test27.yml:35:9:41:6 | Uses Step | semmle.label | Uses Step |
|
||||
| .github/workflows/test27.yml:41:9:46:2 | Run Step: get-version [chart_version] | semmle.label | Run Step: get-version [chart_version] |
|
||||
| .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n | semmle.label | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n |
|
||||
| .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | semmle.label | needs.setup.outputs.chart-version |
|
||||
| .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
|
||||
| .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 |
|
||||
| .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |
|
||||
|
||||
@@ -57,3 +57,4 @@ jobs:
|
||||
echo "BENCHEOF" >> $GITHUB_OUTPUT
|
||||
shell: bash
|
||||
- run: python2.7 foo.py
|
||||
- run: pip install --no-deps .
|
||||
|
||||
@@ -210,7 +210,8 @@ edges
|
||||
| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:36:9:39:6 | Run Step |
|
||||
| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command |
|
||||
| .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr |
|
||||
| .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | .github/workflows/test7.yml:59:9:59:30 | Run Step |
|
||||
| .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | .github/workflows/test7.yml:59:9:60:6 | Run Step |
|
||||
| .github/workflows/test7.yml:59:9:60:6 | Run Step | .github/workflows/test7.yml:60:9:60:37 | Run Step |
|
||||
| .github/workflows/test8.yml:20:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:29:2 | Run Step |
|
||||
| .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step |
|
||||
| .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step |
|
||||
@@ -351,7 +352,8 @@ edges
|
||||
| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
|
||||
| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
|
||||
| .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
|
||||
| .github/workflows/test7.yml:59:9:59:30 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:59:30 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
|
||||
| .github/workflows/test7.yml:59:9:60:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:60:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
|
||||
| .github/workflows/test7.yml:60:9:60:37 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:60:9:60:37 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
|
||||
| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment |
|
||||
| .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run |
|
||||
|
||||
Reference in New Issue
Block a user