From b199fdc3e255b92dfe57434d6a6316323a6f0ef9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= <pwntester@github.com>
Date: Wed, 11 Sep 2024 10:25:10 +0200
Subject: [PATCH 1/3] Add new models for file listing actions

---
 ...riHaximus_github-action-files-in-commit.model.yml |  9 +++++++++
 .../ext/manual/ab185508_file-type-finder.model.yml   | 10 ++++++++++
 .../manual/ankitjain28may_list-files-in-pr.model.yml |  9 +++++++++
 .../avraamMavridis_files-changed-action.model.yml    | 10 ++++++++++
 .../manual/jsmith_changes-since-last-tag.model.yml   | 12 ++++++++++++
 .../karpikpl_list-changed-files-action.model.yml     |  8 ++++++++
 ql/lib/ext/manual/knu_changed-files.model.yml        | 11 +++++++++++
 .../ext/manual/martinhaintz_ga-file-list.model.yml   |  8 ++++++++
 .../manual/rishabh510_path-lister-action.model.yml   |  9 +++++++++
 .../manual/the-coding-turtle_ga-file-list.model.yml  |  8 ++++++++
 .../ext/manual/w3f_action-find-old-files.model.yml   |  8 ++++++++
 ql/lib/ext/manual/yumemi-inc_changed-files.model.yml |  9 +++++++++
 12 files changed, 111 insertions(+)
 create mode 100644 ql/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml
 create mode 100644 ql/lib/ext/manual/ab185508_file-type-finder.model.yml
 create mode 100644 ql/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml
 create mode 100644 ql/lib/ext/manual/avraamMavridis_files-changed-action.model.yml
 create mode 100644 ql/lib/ext/manual/jsmith_changes-since-last-tag.model.yml
 create mode 100644 ql/lib/ext/manual/karpikpl_list-changed-files-action.model.yml
 create mode 100644 ql/lib/ext/manual/knu_changed-files.model.yml
 create mode 100644 ql/lib/ext/manual/martinhaintz_ga-file-list.model.yml
 create mode 100644 ql/lib/ext/manual/rishabh510_path-lister-action.model.yml
 create mode 100644 ql/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml
 create mode 100644 ql/lib/ext/manual/w3f_action-find-old-files.model.yml
 create mode 100644 ql/lib/ext/manual/yumemi-inc_changed-files.model.yml

diff --git a/ql/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml b/ql/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml
new file mode 100644
index 00000000000..e2009c88851
--- /dev/null
+++ b/ql/lib/ext/manual/WyriHaximus_github-action-files-in-commit.model.yml
@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: github/actions-all
+      extensible: actionsSourceModel
+    data:
+      # https://github.com/WyriHaximus/github-action-files-in-commit
+      - ["WyriHaximus/github-action-files-in-commit", "*", "output.files", "filename", "manual"]
+
+
diff --git a/ql/lib/ext/manual/ab185508_file-type-finder.model.yml b/ql/lib/ext/manual/ab185508_file-type-finder.model.yml
new file mode 100644
index 00000000000..119b4b1d814
--- /dev/null
+++ b/ql/lib/ext/manual/ab185508_file-type-finder.model.yml
@@ -0,0 +1,10 @@
+extensions:
+  - addsTo:
+      pack: github/actions-all
+      extensible: actionsSourceModel
+    data:
+      # https://github.com/ab185508/file-type-finder
+      - ["ab185508/file-type-finder", "*", "output.paths", "filename", "manual"]
+      - ["ab185508/file-type-finder", "*", "output.names", "filename", "manual"]
+      - ["ab185508/file-type-finder", "*", "output.extaddpaths", "filename", "manual"]
+
diff --git a/ql/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml b/ql/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml
new file mode 100644
index 00000000000..e3c9297cf23
--- /dev/null
+++ b/ql/lib/ext/manual/ankitjain28may_list-files-in-pr.model.yml
@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: github/actions-all
+      extensible: actionsSourceModel
+    data:
+      # https://github.com/ankitjain28may/list-files-in-pr
+      - ["ankitjain28may/list-files-in-pr", "*", "output.pullRequestFiles", "filename", "manual"]
+
+
diff --git a/ql/lib/ext/manual/avraamMavridis_files-changed-action.model.yml b/ql/lib/ext/manual/avraamMavridis_files-changed-action.model.yml
new file mode 100644
index 00000000000..c14bc95c013
--- /dev/null
+++ b/ql/lib/ext/manual/avraamMavridis_files-changed-action.model.yml
@@ -0,0 +1,10 @@
+extensions:
+  - addsTo:
+      pack: github/actions-all
+      extensible: actionsSourceModel
+    data:
+      # https://github.com/AvraamMavridis/files-changed-action
+      - ["AvraamMavridis/files-changed-action", "*", "output.CHANGED_FILES", "filename", "manual"]
+      - ["AvraamMavridis/files-changed-action", "*", "output.CHANGED_FILES_EXTENSIONS", "filename", "manual"]
+
+
diff --git a/ql/lib/ext/manual/jsmith_changes-since-last-tag.model.yml b/ql/lib/ext/manual/jsmith_changes-since-last-tag.model.yml
new file mode 100644
index 00000000000..3a5cf8c8be2
--- /dev/null
+++ b/ql/lib/ext/manual/jsmith_changes-since-last-tag.model.yml
@@ -0,0 +1,12 @@
+extensions:
+  - addsTo:
+      pack: github/actions-all
+      extensible: actionsSourceModel
+    data:
+      # https://github.com/jsmith/changes-since-last-tag
+      - ["jsmith/changes-since-last-tag", "*", "output.files", "filename", "manual"]
+      - ["jsmith/changes-since-last-tag", "*", "output.added", "filename", "manual"]
+      - ["jsmith/changes-since-last-tag", "*", "output.modified", "filename", "manual"]
+      - ["jsmith/changes-since-last-tag", "*", "output.removed", "filename", "manual"]
+      - ["jsmith/changes-since-last-tag", "*", "output.renamed", "filename", "manual"]
+
diff --git a/ql/lib/ext/manual/karpikpl_list-changed-files-action.model.yml b/ql/lib/ext/manual/karpikpl_list-changed-files-action.model.yml
new file mode 100644
index 00000000000..0d4df5ef6b1
--- /dev/null
+++ b/ql/lib/ext/manual/karpikpl_list-changed-files-action.model.yml
@@ -0,0 +1,8 @@
+
+extensions:
+  - addsTo:
+      pack: github/actions-all
+      extensible: actionsSourceModel
+    data:
+      # https://github.com/karpikpl/list-changed-files-action
+      - ["karpikpl/list-changed-files-action", "*", "output.changed_files", "filename", "manual"]
diff --git a/ql/lib/ext/manual/knu_changed-files.model.yml b/ql/lib/ext/manual/knu_changed-files.model.yml
new file mode 100644
index 00000000000..5e7374dabad
--- /dev/null
+++ b/ql/lib/ext/manual/knu_changed-files.model.yml
@@ -0,0 +1,11 @@
+
+extensions:
+  - addsTo:
+      pack: github/actions-all
+      extensible: actionsSourceModel
+    data:
+      # https://github.com/knu/changed-files
+      - ["knu/changed-files", "*", "output.changed_files", "filename", "manual"]
+      - ["knu/changed-files", "*", "output.changed_files_json", "filename", "manual"]
+      - ["knu/changed-files", "*", "output.matched_files", "filename", "manual"]
+      - ["knu/changed-files", "*", "output.matched_files_json", "filename", "manual"]
diff --git a/ql/lib/ext/manual/martinhaintz_ga-file-list.model.yml b/ql/lib/ext/manual/martinhaintz_ga-file-list.model.yml
new file mode 100644
index 00000000000..9d0ecf04c6b
--- /dev/null
+++ b/ql/lib/ext/manual/martinhaintz_ga-file-list.model.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: github/actions-all
+      extensible: actionsSourceModel
+    data:
+      # https://github.com/martinhaintz/ga-file-list
+      - ["martinhaintz/ga-file-list", "*", "output.files", "filename", "manual"]
+      - ["martinhaintz/ga-file-list", "*", "output.file_names", "filename", "manual"]
diff --git a/ql/lib/ext/manual/rishabh510_path-lister-action.model.yml b/ql/lib/ext/manual/rishabh510_path-lister-action.model.yml
new file mode 100644
index 00000000000..281602cf0c7
--- /dev/null
+++ b/ql/lib/ext/manual/rishabh510_path-lister-action.model.yml
@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: github/actions-all
+      extensible: actionsSourceModel
+    data:
+      # https://github.com/Rishabh510/Path-lister-action
+      - ["Rishabh510/Path-lister-action", "*", "output.paths", "filename", "manual"]
+
+
diff --git a/ql/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml b/ql/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml
new file mode 100644
index 00000000000..7daafbc2fd8
--- /dev/null
+++ b/ql/lib/ext/manual/the-coding-turtle_ga-file-list.model.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: github/actions-all
+      extensible: actionsSourceModel
+    data:
+      # https://github.com/the-coding-turtle/ga-file-list
+      - ["the-coding-turtle/ga-file-list", "*", "output.files", "filename", "manual"]
+      - ["the-coding-turtle/ga-file-list", "*", "output.file_names", "filename", "manual"]
diff --git a/ql/lib/ext/manual/w3f_action-find-old-files.model.yml b/ql/lib/ext/manual/w3f_action-find-old-files.model.yml
new file mode 100644
index 00000000000..38d892966d4
--- /dev/null
+++ b/ql/lib/ext/manual/w3f_action-find-old-files.model.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: github/actions-all
+      extensible: actionsSourceModel
+    data:
+      # https://github.com/w3f/action-find-old-files
+      - ["w3f/action-find-old-files", "*", "output.files", "filename", "manual"]
+
diff --git a/ql/lib/ext/manual/yumemi-inc_changed-files.model.yml b/ql/lib/ext/manual/yumemi-inc_changed-files.model.yml
new file mode 100644
index 00000000000..c65f7b1055f
--- /dev/null
+++ b/ql/lib/ext/manual/yumemi-inc_changed-files.model.yml
@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: github/actions-all
+      extensible: actionsSourceModel
+    data:
+      # https://github.com/yumemi-inc/changed-files
+      - ["yumemi-inc/changed-files", "*", "output.files", "filename", "manual"]
+
+

From 15bb4d851d8210ce97b1d44bec6d7a8edd71b4aa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= <pwntester@github.com>
Date: Wed, 11 Sep 2024 10:25:31 +0200
Subject: [PATCH 2/3] Add new test for flow through matrix

---
 .../CWE-094/.github/workflows/matrix_flow.yml | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/matrix_flow.yml

diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix_flow.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix_flow.yml
new file mode 100644
index 00000000000..1093ddd3c4c
--- /dev/null
+++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/matrix_flow.yml
@@ -0,0 +1,29 @@
+name: Matrix Flow
+
+on:
+  pull_request_target:
+
+jobs:
+  lookup:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.filelist.outputs.file_names }}
+    steps:
+    - uses: actions/checkout@v2
+    - name: Get all zip files
+      id: filelist
+      uses: the-coding-turtle/ga-file-list@v0.1
+      with:
+        directory: "."
+        file_extension: "zip"
+
+  multi_tenant:
+    needs: lookup
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        tenant: ${{fromJson(needs.lookup.outputs.matrix)}}
+    steps:
+    - name: Show all files
+      run: |
+        echo "this is file: ${{ matrix.TENANT }}"

From 5fe81ddb08b18a29bce260d9a052c623e2049931 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= <pwntester@github.com>
Date: Wed, 11 Sep 2024 18:07:25 +0200
Subject: [PATCH 3/3] Update tests

---
 ql/test/library-tests/test.expected | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected
index 6bedcadcdba..9205675ac0f 100644
--- a/ql/test/library-tests/test.expected
+++ b/ql/test/library-tests/test.expected
@@ -1327,10 +1327,18 @@ scopes
 | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push |
 | .github/workflows/test.yml:1:1:40:53 | on: push |
 sources
+| AvraamMavridis/files-changed-action | * | output.CHANGED_FILES | filename | manual |
+| AvraamMavridis/files-changed-action | * | output.CHANGED_FILES_EXTENSIONS | filename | manual |
+| Rishabh510/Path-lister-action | * | output.paths | filename | manual |
+| WyriHaximus/github-action-files-in-commit | * | output.files | filename | manual |
+| ab185508/file-type-finder | * | output.extaddpaths | filename | manual |
+| ab185508/file-type-finder | * | output.names | filename | manual |
+| ab185508/file-type-finder | * | output.paths | filename | manual |
 | ahmadnassri/action-changed-files | * | output.files | filename | manual |
 | ahmadnassri/action-changed-files | * | output.json | json | manual |
 | alessbell/pull-request-comment-branch | * | output.head_ref | branch | manual |
 | amannn/action-semantic-pull-request | * | output.error_message | text | manual |
+| ankitjain28may/list-files-in-pr | * | output.pullRequestFiles | filename | manual |
 | cypress-io/github-action | * | env.GH_BRANCH | branch | manual |
 | dawidd6/action-download-artifact | * | output.artifacts | artifact | manual |
 | eficode/resolve-pr-refs | * | output.head_ref | branch | manual |
@@ -1345,16 +1353,30 @@ sources
 | jitterbit/get-changed-files | * | output.modified | filename | manual |
 | jitterbit/get-changed-files | * | output.removed | filename | manual |
 | jitterbit/get-changed-files | * | output.renamed | filename | manual |
+| jsmith/changes-since-last-tag | * | output.added | filename | manual |
+| jsmith/changes-since-last-tag | * | output.files | filename | manual |
+| jsmith/changes-since-last-tag | * | output.modified | filename | manual |
+| jsmith/changes-since-last-tag | * | output.removed | filename | manual |
+| jsmith/changes-since-last-tag | * | output.renamed | filename | manual |
+| karpikpl/list-changed-files-action | * | output.changed_files | filename | manual |
 | khan/pull-request-comment-trigger | * | output.comment_body | text | manual |
+| knu/changed-files | * | output.changed_files | filename | manual |
+| knu/changed-files | * | output.changed_files_json | filename | manual |
+| knu/changed-files | * | output.matched_files | filename | manual |
+| knu/changed-files | * | output.matched_files_json | filename | manual |
 | lots0logs/gh-action-get-changed-files | * | output.added | PR changed files | manual |
 | lots0logs/gh-action-get-changed-files | * | output.all | PR changed files | manual |
 | lots0logs/gh-action-get-changed-files | * | output.modified | PR changed files | manual |
 | lots0logs/gh-action-get-changed-files | * | output.renamed | PR changed files | manual |
 | marocchino/on_artifact | * | output.* | artifact | manual |
+| martinhaintz/ga-file-list | * | output.file_names | filename | manual |
+| martinhaintz/ga-file-list | * | output.files | filename | manual |
 | peter-murray/issue-body-parser-action | * | output.* | text | manual |
 | potiuk/get-workflow-origin | * | output.sourceHeadBranch | branch | manual |
 | puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | filename | manual |
 | redhat-plumbers-in-action/download-artifact | * | output.* | artifact | manual |
+| the-coding-turtle/ga-file-list | * | output.file_names | filename | manual |
+| the-coding-turtle/ga-file-list | * | output.files | filename | manual |
 | tj-actions/branch-names | * | output.current_branch | branch | manual |
 | tj-actions/branch-names | * | output.head_ref_branch | branch | manual |
 | trilom/file-changes-action | * | output.files | filename | manual |
@@ -1362,7 +1384,9 @@ sources
 | trilom/file-changes-action | * | output.files_modified | filename | manual |
 | trilom/file-changes-action | * | output.files_removed | filename | manual |
 | tzkhan/pr-update-action | * | output.headMatch | branch | manual |
+| w3f/action-find-old-files | * | output.files | filename | manual |
 | xt0rted/pull-request-comment-branch | * | output.head_ref | branch | manual |
+| yumemi-inc/changed-files | * | output.files | filename | manual |
 summaries
 | ActionsTools/read-json-action | * | artifact | output.* | taint | manual |
 | BrycensRanch/read-properties-action | * | artifact | output.* | taint | manual |