Add support for multiline assigments

2026-05-03 20:58:03 +02:00 · 2024-04-11 15:18:09 +02:00
parent 8d2b8be133
commit 1b2e02df64
15 changed files with 265 additions and 56 deletions
--- a/ql/test/library-tests/.github/workflows/multiline.yml
+++ b/ql/test/library-tests/.github/workflows/multiline.yml
@@ -0,0 +1,29 @@
+on: 
+  workflow_run:
+    workflows: ["Prev"]
+    types:
+      - completed
+
+jobs:
+  Test:
+    runs-on: ubuntu-latest
+    steps:
+      run: |
+        echo "changelog<<CHANGELOGEOF" >> $GITHUB_OUTPUT
+        echo -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT
+        echo "CHANGELOGEOF" >> $GITHUB_OUTPUT
+      run: |
+        EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
+        echo "status<<$EOF" >> $GITHUB_OUTPUT
+        echo "$(cat status.output.json)" >> $GITHUB_OUTPUT
+        echo "$EOF" >> $GITHUB_OUTPUT
+      run: |
+        echo "response<<$EOF" >> $GITHUB_OUTPUT
+        echo $output >> $GITHUB_OUTPUT
+        echo "$EOF" >> $GITHUB_OUTPUT
+      - run: |
+        {
+          echo 'JSON_RESPONSE<<EOF'
+          ls | grep -E "*.(tar.gz|zip)$"
+          echo EOF
+        } >> "$GITHUB_ENV"
--- a/ql/test/library-tests/test.ql
+++ b/ql/test/library-tests/test.ql
@@ -80,7 +80,7 @@ query predicate writeToGitHubEnv(string key, string value) {
        "echo 'sha2=$(<test-results2/sha-number)' >> $GITHUB_ENV",
        "echo sha3=$(<test-results3/sha-number) >> $GITHUB_ENV",
      ] and
-    Utils::extractAssignment(t, "ENV", key, value)
+    Utils::extractLineAssignment(t, "ENV", key, value)
  )
 }

@@ -98,6 +98,6 @@ query predicate writeToGitHubOutput(string key, string value) {
        "echo sha5=$(<test-results5/sha-number) >> ${GITHUB_OUTPUT}",
        "echo sha6=$(<test-results6/sha-number) >> \"${GITHUB_OUTPUT}\"",
      ] and
-    Utils::extractAssignment(t, "OUTPUT", key, value)
+    Utils::extractLineAssignment(t, "OUTPUT", key, value)
  )
 }
--- a/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml
+++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml
@@ -0,0 +1,43 @@
+name: Pull Request Open
+
+on:
+  pull_request_target:
+    branches:
+      - main
+      - 14.0.x
+
+    types:
+      - opened
+      - reopened
+
+jobs:
+  updateJira:
+    if: github.actor != 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - env:
+          TITLE: ${{ github.event.pull_request.title }}
+        run: |
+          echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV
+      - env:
+          TITLE: ${{ github.event.pull_request.title }}
+        run: |
+          echo "PR_TITLE<<EOF" >> $GITHUB_ENV
+          echo "$TITLE" >> $GITHUB_ENV
+          echo "EOF" >> $GITHUB_ENV
+      - run: |
+          echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"
+          ls | grep -E "*.(tar.gz|zip)$" >> "${GITHUB_ENV}"
+          ls | grep -E "*.(txt|md)$" >> "${GITHUB_ENV}"
+          echo "EOF" >> "${GITHUB_ENV}"
+      - run: |
+          {
+            echo 'JSON_RESPONSE<<EOF'
+            curl https://example.com
+            echo EOF
+          } >> "$GITHUB_ENV"
+
+
--- a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected
+++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected
@@ -3,6 +3,8 @@ edges
 | .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step |
 | .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step |
 | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step |
+| .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | .github/workflows/test4.yml:21:9:25:6 | Run Step |
+| .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | .github/workflows/test4.yml:25:9:31:6 | Run Step |
 nodes
 | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | semmle.label | Run Step |
@@ -12,5 +14,9 @@ nodes
 | .github/workflows/test3.yml:17:7:24:4 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/test3.yml:24:7:31:4 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/test3.yml:39:7:44:4 | Run Step | semmle.label | Run Step |
+| .github/workflows/test4.yml:21:9:25:6 | Run Step | semmle.label | Run Step |
+| .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
+| .github/workflows/test4.yml:25:9:31:6 | Run Step | semmle.label | Run Step |
+| .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 subpaths
 #select
--- a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected
+++ b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected
@@ -3,6 +3,8 @@ edges
 | .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step |
 | .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step |
 | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step |
+| .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | .github/workflows/test4.yml:21:9:25:6 | Run Step |
+| .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | .github/workflows/test4.yml:25:9:31:6 | Run Step |
 nodes
 | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | semmle.label | Run Step |
@@ -12,6 +14,10 @@ nodes
 | .github/workflows/test3.yml:17:7:24:4 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/test3.yml:24:7:31:4 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/test3.yml:39:7:44:4 | Run Step | semmle.label | Run Step |
+| .github/workflows/test4.yml:21:9:25:6 | Run Step | semmle.label | Run Step |
+| .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
+| .github/workflows/test4.yml:25:9:31:6 | Run Step | semmle.label | Run Step |
+| .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 subpaths
 #select
 | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | Run Step |
@@ -19,3 +25,5 @@ subpaths
 | .github/workflows/test2.yml:47:9:52:6 | Run Step | .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:47:9:52:6 | Run Step | Run Step |
 | .github/workflows/test3.yml:39:7:44:4 | Run Step | .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:39:7:44:4 | Run Step | Run Step |
 | .github/workflows/test3.yml:39:7:44:4 | Run Step | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:39:7:44:4 | Run Step | Run Step |
+| .github/workflows/test4.yml:21:9:25:6 | Run Step | .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | .github/workflows/test4.yml:21:9:25:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:21:9:25:6 | Run Step | Run Step |
+| .github/workflows/test4.yml:25:9:31:6 | Run Step | .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | .github/workflows/test4.yml:25:9:31:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:25:9:31:6 | Run Step | Run Step |
--- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected
+++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected
@@ -200,8 +200,8 @@ nodes
 | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] |
 | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files |
 | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value |
-| .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
-| .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | semmle.label | toJSON(github.event) |
+| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | semmle.label | toJSON(github.event) |
 | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY |
--- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected
+++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected
@@ -200,8 +200,8 @@ nodes
 | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] |
 | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files |
 | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value |
-| .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
-| .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | semmle.label | toJSON(github.event) |
+| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | semmle.label | toJSON(github.event) |
 | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY |
@@ -309,8 +309,8 @@ subpaths
 | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} |
 | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} |
 | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} |
-| .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:23:31:23:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
-| .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:25:11:25:37 | toJSON(github.event) | ${{ toJSON(github.event) }} |
+| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
+| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | ${{ toJSON(github.event) }} |
 | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} |
 | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} |
 | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} |
--- a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning51.yml
+++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning51.yml
@@ -18,7 +18,3 @@ jobs:
      - name: Env Var Injection
        run: |
          echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV
-
-
-
-
--- a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning52.yml
+++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning52.yml
@@ -0,0 +1,27 @@
+name: Pull Request Open
+
+on: 
+  workflow_run:
+    workflows: ["Prev"]
+    types:
+      - completed
+
+jobs:
+  Download:
+    runs-on: ubuntu-latest
+    steps:
+      - run: |
+          gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
+      - name: Unzip
+        run: |
+          unzip artifact_name.zip -d foo
+      - name: Env Var Injection
+        run: |
+          echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"
+          ls | grep -E "*.(tar.gz|zip)$" >> "${GITHUB_ENV}"
+          ls | grep -E "*.(txt|md)$" >> "${GITHUB_ENV}"
+          echo "EOF" >> "${GITHUB_ENV}"
+
+
+
+
--- a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning53.yml
+++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning53.yml
@@ -0,0 +1,27 @@
+name: Pull Request Open
+
+on: 
+  workflow_run:
+    workflows: ["Prev"]
+    types:
+      - completed
+
+jobs:
+  Download:
+    runs-on: ubuntu-latest
+    steps:
+      - run: |
+          gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
+      - name: Unzip
+        run: |
+          unzip artifact_name.zip -d foo
+      - run: |
+          {
+            echo 'JSON_RESPONSE<<EOF'
+            ls | grep -E "*.(tar.gz|zip)$"
+            echo EOF
+          } >> "$GITHUB_ENV"
+
+
+
+
--- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected
+++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected
@@ -8,3 +8,5 @@
 | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | Potential artifact poisoning. |
 | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | Potential artifact poisoning. |
 | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | Potential artifact poisoning. |
+| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | Potential artifact poisoning. |
+| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | Potential artifact poisoning. |