Add more poisonable steps

ql/lib/codeql/actions/security/PoisonableSteps.qll

@@ -29,7 +29,7 @@ class LocalScriptExecutionRunStep extends PoisonableStep, Run {
   LocalScriptExecutionRunStep() {
     exists(string line, string regexp, int group | line = this.getScript().splitAt("\n").trim() |
       poisonableLocalScriptsDataModel(regexp, group) and
-      cmd = line.regexpCapture("(^|\\b|\\s+)" + regexp, group)
+      cmd = line.regexpCapture(".*(^|\\b|\\s+|\\$\\(|`)" + regexp + "(\\b|\\s+|;|\\)|`|$).*", group)
     )
   }
 

ql/lib/ext/config/poisonable_steps.yml

@@ -35,6 +35,9 @@ extensions:
       - ["npm i(nstall)?"]
       - ["npm run"]
       - ["npm ci"]
+      - ["pnpm i(nstall)?"]
+      - ["pnpm run"]
+      - ["pnpm ci"]
       - ["pre-commit"]
       - ["prettier"]
       - ["pip install -r"]
@@ -54,10 +57,10 @@ extensions:
       extensible: poisonableLocalScriptsDataModel
     data:
       # TODO: It could also be in the form of `dir/cmd`
-      - ["(\\.\\/)(.*)(\\s+|;|$)", 3]
-      - ["(source|sh|bash|zsh|fish)\\s+(.*)(\\s+|;|$)", 3]
-      - ["(node)\\s+(.*)(\\.js|\\.ts)(\\s+|;|$)", 3]
-      - ["(python)\\s+(.*)\\.py(\\s+|;|$)", 3]
-      - ["(ruby)\\s+(.*)\\.rb(\\s+|;|$)", 3]
-      - ["(go)\\s+(.*)\\.go(\\s+|;|$)", 3]
+      - ["(\\.\\/)(.*)", 3]
+      - ["(source|sh|bash|zsh|fish)\\s+(.*)", 3]
+      - ["(node)\\s+(.*)(\\.js|\\.ts)", 3]
+      - ["(python)\\s+(.*)\\.py", 3]
+      - ["(ruby)\\s+(.*)\\.rb", 3]
+      - ["(go)\\s+(.*)\\.go", 3]