hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-08 04:00:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #30 from github/peter_murray_issue-body-parser-action_model

Browse Source 
Add missing source for peter-murray/issue-body-parser-action
This commit is contained in:
Alvaro Muñoz
2024-05-14 15:38:18 +02:00
committed by GitHub
parent 67c964808b f96b9cc535
commit 33b3fc67c7
5 changed files with 83 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
ql/lib/ext/peter-murray_issue-body-parser-action.model.yml Normal file
View File

@@ -0,0 +1,6 @@
extensions:
- addsTo:
pack: githubsecuritylab/actions-all
extensible: sourceModel
data:
- ["peter-murray/issue-body-parser-action", "*", "output.*", "text", "manual"]

1
ql/test/library-tests/test.expected
View File

@@ -464,6 +464,7 @@ sources
| jitterbit/get-changed-files | * | output.renamed | filename | manual |
| khan/pull-request-comment-trigger | * | output.comment_body | text | manual |
| marocchino/on_artifact | * | output.* | artifact | manual |
| peter-murray/issue-body-parser-action | * | output.* | text | manual |
| puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | filename | manual |
| redhat-plumbers-in-action/download-artifact | * | output.* | artifact | manual |
| tj-actions/branch-names | * | output.current_branch | branch | manual |

61
ql/test/query-tests/Security/CWE-094/.github/workflows/test3.yml vendored Normal file
View File

@@ -0,0 +1,61 @@
name: Approve or Deny Marketplace Action Request
on:
issue_comment:
types: [created]
jobs:
parse-issue:
runs-on: self-hosted
outputs:
payload: ${{ steps.issue_body_parser_request.outputs.payload }}
steps:
- name: Get JSON Data out of Issue Request
uses: peter-murray/issue-body-parser-action@v2
id: issue_body_parser_request
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
issue_id: ${{ github.event.issue.number }}
payload_marker: request
fail_on_missing: false
approve-or-deny-request:
runs-on: self-hosted
needs: parse-issue
if: needs.parse-issue.outputs.payload != 'NOT_FOUND'
steps:
- name: Lookup the latest release of ${{ fromJson(needs.parse-issue.outputs.payload).owner }}/${{ fromJson(needs.parse-issue.outputs.payload).repo }}
id: get_version
env:
OWNER: ${{ fromJson(needs.parse-issue.outputs.payload).owner }}
REPO: ${{ fromJson(needs.parse-issue.outputs.payload).repo }}
REQUEST_VERSION: ${{ fromJson(needs.parse-issue.outputs.payload).version }}
run: |
if [ $REQUEST_VERSION == 'latest' ]; then
echo "Finding latest release of $OWNER/$REPO..."
export VERSION=`curl https://api.github.com/repos/$OWNER/$REPO/releases/latest | jq -r .name`
else
export VERSION=$REQUEST_VERSION
fi
echo "VERSION: $VERSION"
echo "version=$VERSION" >> $GITHUB_OUTPUT
- name: Check out scripts
uses: actions/checkout@v3
- name: Setup Node
uses: actions/setup-node@v3
with:
node-version: '14'
check-latest: true
- name: Install dependencies
run: |
cd .github/scripts
npm install
- name: Approve or deny request
uses: actions/github-script@main
env:
VERSION: ${{ steps.get_version.outputs.version }}
with:
debug: true
script: |
const options = { token: '${{ secrets.TOKEN }}', adminOpsOrg: '${{ vars.ADMIN_OPS_ORG }}', actionsApprovedOrg: '${{ vars.ACTIONS_APPROVED_ORG }}', actionsApproverTeam: '${{ vars.ACTIONS_APPROVERS_TEAM }}', baseUrl: '${{ github.api_url }}', version: process.env.VERSION };
const payload = ${{ needs.parse-issue.outputs.payload }}
await require('./.github/scripts/approve-or-deny-request.js')({github, context, payload, options});

7
ql/test/query-tests/Security/CWE-094/CodeInjection.expected
View File

@@ -59,6 +59,9 @@ edges
| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY |
| .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files |
| .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files |
| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload |
| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] |
| .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload |
| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] |
| .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] |
| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value |
@@ -222,6 +225,10 @@ nodes
| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | semmle.label | steps.changed.outputs.locale_files |
| .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | semmle.label | Uses Step: changed2 |
| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | semmle.label | steps.changed2.outputs.locale_files |
| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | semmle.label | Job outputs node [payload] |
| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload |
| .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | semmle.label | Uses Step: issue_body_parser_request |
| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload |
| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
| .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 |
| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |

8
ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected
View File

@@ -59,6 +59,9 @@ edges
| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY |
| .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files |
| .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files |
| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload |
| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] |
| .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload |
| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] |
| .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] |
| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value |
@@ -222,6 +225,10 @@ nodes
| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | semmle.label | steps.changed.outputs.locale_files |
| .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | semmle.label | Uses Step: changed2 |
| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | semmle.label | steps.changed2.outputs.locale_files |
| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | semmle.label | Job outputs node [payload] |
| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload |
| .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | semmle.label | Uses Step: issue_body_parser_request |
| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload |
| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
| .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 |
| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |
@@ -333,6 +340,7 @@ subpaths
| .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} |
| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} |
| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} |
| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} |
| .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} |
| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} |
| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} |