Merge branch 'main' into js/no-type-extraction

2026-04-30 19:26:02 +02:00 · 2025-07-02 13:18:05 +02:00
parent 4b2025d2c4 e47f16b100
commit 47a90c8b32
3422 changed files with 206060 additions and 90419 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.js
+++ b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.js
@@ -60,4 +60,8 @@
 	/^(foo.example\.com|whatever)$/; // $ Alert (but kinda OK - one disjunction doesn't even look like a hostname)

 	if (s.matchAll("^http://test.example.com")) {} // $ Alert
+
+	const sinon = require('sinon');
+	const megacliteUrl = "https://a.b.com";
+	sinon.assert.calledWith(postStub.firstCall, sinon.match(megacliteUrl));
 });
--- a/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst.js
@@ -0,0 +1,6 @@
+const sinon = require('sinon');
+
+function testFunction() {
+  const megacliteUrl = "https://a.b.com";
+	sinon.assert.calledWith(postStub.firstCall, sinon.match(megacliteUrl));
+}
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
@@ -48,6 +48,10 @@
 | TaintedPath.js:214:29:214:42 | improperEscape | TaintedPath.js:212:24:212:30 | req.url | TaintedPath.js:214:29:214:42 | improperEscape | This path depends on a $@. | TaintedPath.js:212:24:212:30 | req.url | user-provided value |
 | TaintedPath.js:216:29:216:43 | improperEscape2 | TaintedPath.js:212:24:212:30 | req.url | TaintedPath.js:216:29:216:43 | improperEscape2 | This path depends on a $@. | TaintedPath.js:212:24:212:30 | req.url | user-provided value |
 | examples/TaintedPath.js:10:29:10:43 | ROOT + filePath | examples/TaintedPath.js:8:28:8:34 | req.url | examples/TaintedPath.js:10:29:10:43 | ROOT + filePath | This path depends on a $@. | examples/TaintedPath.js:8:28:8:34 | req.url | user-provided value |
+| execa.js:9:26:9:33 | filePath | execa.js:6:30:6:36 | req.url | execa.js:9:26:9:33 | filePath | This path depends on a $@. | execa.js:6:30:6:36 | req.url | user-provided value |
+| execa.js:12:37:12:44 | filePath | execa.js:6:30:6:36 | req.url | execa.js:12:37:12:44 | filePath | This path depends on a $@. | execa.js:6:30:6:36 | req.url | user-provided value |
+| execa.js:15:50:15:57 | filePath | execa.js:6:30:6:36 | req.url | execa.js:15:50:15:57 | filePath | This path depends on a $@. | execa.js:6:30:6:36 | req.url | user-provided value |
+| execa.js:18:62:18:69 | filePath | execa.js:6:30:6:36 | req.url | execa.js:18:62:18:69 | filePath | This path depends on a $@. | execa.js:6:30:6:36 | req.url | user-provided value |
 | express.js:8:20:8:32 | req.query.bar | express.js:8:20:8:32 | req.query.bar | express.js:8:20:8:32 | req.query.bar | This path depends on a $@. | express.js:8:20:8:32 | req.query.bar | user-provided value |
 | handlebars.js:11:32:11:39 | filePath | handlebars.js:29:46:29:60 | req.params.path | handlebars.js:11:32:11:39 | filePath | This path depends on a $@. | handlebars.js:29:46:29:60 | req.params.path | user-provided value |
 | handlebars.js:15:25:15:32 | filePath | handlebars.js:43:15:43:29 | req.params.path | handlebars.js:15:25:15:32 | filePath | This path depends on a $@. | handlebars.js:43:15:43:29 | req.params.path | user-provided value |
@@ -399,6 +403,15 @@ edges
 | examples/TaintedPath.js:8:18:8:52 | url.par ... ry.path | examples/TaintedPath.js:8:7:8:52 | filePath | provenance |  |
 | examples/TaintedPath.js:8:28:8:34 | req.url | examples/TaintedPath.js:8:18:8:41 | url.par ... , true) | provenance | Config |
 | examples/TaintedPath.js:10:36:10:43 | filePath | examples/TaintedPath.js:10:29:10:43 | ROOT + filePath | provenance | Config |
+| execa.js:6:9:6:64 | filePath | execa.js:9:26:9:33 | filePath | provenance |  |
+| execa.js:6:9:6:64 | filePath | execa.js:12:37:12:44 | filePath | provenance |  |
+| execa.js:6:9:6:64 | filePath | execa.js:15:50:15:57 | filePath | provenance |  |
+| execa.js:6:9:6:64 | filePath | execa.js:18:62:18:69 | filePath | provenance |  |
+| execa.js:6:20:6:43 | url.par ... , true) | execa.js:6:20:6:49 | url.par ... ).query | provenance | Config |
+| execa.js:6:20:6:49 | url.par ... ).query | execa.js:6:20:6:61 | url.par ... ePath"] | provenance | Config |
+| execa.js:6:20:6:61 | url.par ... ePath"] | execa.js:6:20:6:64 | url.par ... th"][0] | provenance | Config |
+| execa.js:6:20:6:64 | url.par ... th"][0] | execa.js:6:9:6:64 | filePath | provenance |  |
+| execa.js:6:30:6:36 | req.url | execa.js:6:20:6:43 | url.par ... , true) | provenance | Config |
 | handlebars.js:10:51:10:58 | filePath | handlebars.js:11:32:11:39 | filePath | provenance |  |
 | handlebars.js:13:73:13:80 | filePath | handlebars.js:15:25:15:32 | filePath | provenance |  |
 | handlebars.js:29:46:29:60 | req.params.path | handlebars.js:10:51:10:58 | filePath | provenance |  |
@@ -944,6 +957,16 @@ nodes
 | examples/TaintedPath.js:8:28:8:34 | req.url | semmle.label | req.url |
 | examples/TaintedPath.js:10:29:10:43 | ROOT + filePath | semmle.label | ROOT + filePath |
 | examples/TaintedPath.js:10:36:10:43 | filePath | semmle.label | filePath |
+| execa.js:6:9:6:64 | filePath | semmle.label | filePath |
+| execa.js:6:20:6:43 | url.par ... , true) | semmle.label | url.par ... , true) |
+| execa.js:6:20:6:49 | url.par ... ).query | semmle.label | url.par ... ).query |
+| execa.js:6:20:6:61 | url.par ... ePath"] | semmle.label | url.par ... ePath"] |
+| execa.js:6:20:6:64 | url.par ... th"][0] | semmle.label | url.par ... th"][0] |
+| execa.js:6:30:6:36 | req.url | semmle.label | req.url |
+| execa.js:9:26:9:33 | filePath | semmle.label | filePath |
+| execa.js:12:37:12:44 | filePath | semmle.label | filePath |
+| execa.js:15:50:15:57 | filePath | semmle.label | filePath |
+| execa.js:18:62:18:69 | filePath | semmle.label | filePath |
 | express.js:8:20:8:32 | req.query.bar | semmle.label | req.query.bar |
 | handlebars.js:10:51:10:58 | filePath | semmle.label | filePath |
 | handlebars.js:11:32:11:39 | filePath | semmle.label | filePath |
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/execa.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/execa.js
@@ -0,0 +1,19 @@
+import { execa, $ } from 'execa';
+import http from 'node:http'
+import url from 'url'
+
+http.createServer(async function (req, res) {
+    let filePath = url.parse(req.url, true).query["filePath"][0]; // $Source
+
+    // Piping to stdin from a file
+    await $({ inputFile: filePath })`cat` // $Alert
+
+    // Piping to stdin from a file
+    await execa('cat', { inputFile: filePath });  // $Alert
+
+    // Piping Stdout to file
+    await execa('echo', ['example3']).pipeStdout(filePath); // $Alert
+
+    // Piping all of command output to file
+    await execa('echo', ['example4'], { all: true }).pipeAll(filePath); // $Alert
+});
--- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected
@@ -24,6 +24,33 @@
 | exec-sh2.js:10:12:10:57 | cp.spaw ... ptions) | exec-sh2.js:14:25:14:31 | req.url | exec-sh2.js:10:40:10:46 | command | This command line depends on a $@. | exec-sh2.js:14:25:14:31 | req.url | user-provided value |
 | exec-sh.js:15:12:15:61 | cp.spaw ... ptions) | exec-sh.js:19:25:19:31 | req.url | exec-sh.js:15:44:15:50 | command | This command line depends on a $@. | exec-sh.js:19:25:19:31 | req.url | user-provided value |
 | execSeries.js:14:41:14:47 | command | execSeries.js:18:34:18:40 | req.url | execSeries.js:14:41:14:47 | command | This command line depends on a $@. | execSeries.js:18:34:18:40 | req.url | user-provided value |
+| execa.js:11:15:11:17 | cmd | execa.js:6:25:6:31 | req.url | execa.js:11:15:11:17 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
+| execa.js:13:32:13:34 | cmd | execa.js:6:25:6:31 | req.url | execa.js:13:32:13:34 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
+| execa.js:14:31:14:33 | cmd | execa.js:6:25:6:31 | req.url | execa.js:14:31:14:33 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
+| execa.js:17:14:17:16 | cmd | execa.js:6:25:6:31 | req.url | execa.js:17:14:17:16 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
+| execa.js:19:32:19:34 | cmd | execa.js:6:25:6:31 | req.url | execa.js:19:32:19:34 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
+| execa.js:20:33:20:35 | cmd | execa.js:6:25:6:31 | req.url | execa.js:20:33:20:35 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
+| execa.js:23:17:23:19 | cmd | execa.js:6:25:6:31 | req.url | execa.js:23:17:23:19 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
+| execa.js:24:17:24:19 | cmd | execa.js:6:25:6:31 | req.url | execa.js:24:17:24:19 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
+| execa.js:25:17:25:19 | cmd | execa.js:6:25:6:31 | req.url | execa.js:25:17:25:19 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
+| execa.js:27:15:27:17 | cmd | execa.js:6:25:6:31 | req.url | execa.js:27:15:27:17 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
+| execa.js:28:15:28:17 | cmd | execa.js:6:25:6:31 | req.url | execa.js:28:15:28:17 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
+| execa.js:30:24:30:47 | cmd + a ...  + arg3 | execa.js:6:25:6:31 | req.url | execa.js:30:24:30:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
+| execa.js:30:24:30:47 | cmd + a ...  + arg3 | execa.js:7:26:7:32 | req.url | execa.js:30:24:30:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:7:26:7:32 | req.url | user-provided value |
+| execa.js:30:24:30:47 | cmd + a ...  + arg3 | execa.js:8:26:8:32 | req.url | execa.js:30:24:30:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:8:26:8:32 | req.url | user-provided value |
+| execa.js:30:24:30:47 | cmd + a ...  + arg3 | execa.js:9:26:9:32 | req.url | execa.js:30:24:30:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:9:26:9:32 | req.url | user-provided value |
+| execa.js:31:24:31:47 | cmd + a ...  + arg3 | execa.js:6:25:6:31 | req.url | execa.js:31:24:31:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
+| execa.js:31:24:31:47 | cmd + a ...  + arg3 | execa.js:7:26:7:32 | req.url | execa.js:31:24:31:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:7:26:7:32 | req.url | user-provided value |
+| execa.js:31:24:31:47 | cmd + a ...  + arg3 | execa.js:8:26:8:32 | req.url | execa.js:31:24:31:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:8:26:8:32 | req.url | user-provided value |
+| execa.js:31:24:31:47 | cmd + a ...  + arg3 | execa.js:9:26:9:32 | req.url | execa.js:31:24:31:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:9:26:9:32 | req.url | user-provided value |
+| execa.js:33:22:33:45 | cmd + a ...  + arg3 | execa.js:6:25:6:31 | req.url | execa.js:33:22:33:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
+| execa.js:33:22:33:45 | cmd + a ...  + arg3 | execa.js:7:26:7:32 | req.url | execa.js:33:22:33:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:7:26:7:32 | req.url | user-provided value |
+| execa.js:33:22:33:45 | cmd + a ...  + arg3 | execa.js:8:26:8:32 | req.url | execa.js:33:22:33:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:8:26:8:32 | req.url | user-provided value |
+| execa.js:33:22:33:45 | cmd + a ...  + arg3 | execa.js:9:26:9:32 | req.url | execa.js:33:22:33:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:9:26:9:32 | req.url | user-provided value |
+| execa.js:34:22:34:45 | cmd + a ...  + arg3 | execa.js:6:25:6:31 | req.url | execa.js:34:22:34:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
+| execa.js:34:22:34:45 | cmd + a ...  + arg3 | execa.js:7:26:7:32 | req.url | execa.js:34:22:34:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:7:26:7:32 | req.url | user-provided value |
+| execa.js:34:22:34:45 | cmd + a ...  + arg3 | execa.js:8:26:8:32 | req.url | execa.js:34:22:34:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:8:26:8:32 | req.url | user-provided value |
+| execa.js:34:22:34:45 | cmd + a ...  + arg3 | execa.js:9:26:9:32 | req.url | execa.js:34:22:34:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:9:26:9:32 | req.url | user-provided value |
 | form-parsers.js:9:8:9:39 | "touch  ... nalname | form-parsers.js:9:19:9:26 | req.file | form-parsers.js:9:8:9:39 | "touch  ... nalname | This command line depends on a $@. | form-parsers.js:9:19:9:26 | req.file | user-provided value |
 | form-parsers.js:14:10:14:37 | "touch  ... nalname | form-parsers.js:13:3:13:11 | req.files | form-parsers.js:14:10:14:37 | "touch  ... nalname | This command line depends on a $@. | form-parsers.js:13:3:13:11 | req.files | user-provided value |
 | form-parsers.js:25:10:25:28 | "touch " + filename | form-parsers.js:24:48:24:55 | filename | form-parsers.js:25:10:25:28 | "touch " + filename | This command line depends on a $@. | form-parsers.js:24:48:24:55 | filename | user-provided value |
@@ -112,6 +139,57 @@ edges
 | execSeries.js:18:34:18:40 | req.url | execSeries.js:18:13:18:47 | require ... , true) | provenance |  |
 | execSeries.js:19:12:19:16 | [cmd] [0] | execSeries.js:13:19:13:26 | commands [0] | provenance |  |
 | execSeries.js:19:13:19:15 | cmd | execSeries.js:19:12:19:16 | [cmd] [0] | provenance |  |
+| execa.js:6:9:6:54 | cmd | execa.js:11:15:11:17 | cmd | provenance |  |
+| execa.js:6:9:6:54 | cmd | execa.js:13:32:13:34 | cmd | provenance |  |
+| execa.js:6:9:6:54 | cmd | execa.js:14:31:14:33 | cmd | provenance |  |
+| execa.js:6:9:6:54 | cmd | execa.js:17:14:17:16 | cmd | provenance |  |
+| execa.js:6:9:6:54 | cmd | execa.js:19:32:19:34 | cmd | provenance |  |
+| execa.js:6:9:6:54 | cmd | execa.js:20:33:20:35 | cmd | provenance |  |
+| execa.js:6:9:6:54 | cmd | execa.js:23:17:23:19 | cmd | provenance |  |
+| execa.js:6:9:6:54 | cmd | execa.js:24:17:24:19 | cmd | provenance |  |
+| execa.js:6:9:6:54 | cmd | execa.js:25:17:25:19 | cmd | provenance |  |
+| execa.js:6:9:6:54 | cmd | execa.js:27:15:27:17 | cmd | provenance |  |
+| execa.js:6:9:6:54 | cmd | execa.js:28:15:28:17 | cmd | provenance |  |
+| execa.js:6:9:6:54 | cmd | execa.js:30:24:30:26 | cmd | provenance |  |
+| execa.js:6:9:6:54 | cmd | execa.js:31:24:31:26 | cmd | provenance |  |
+| execa.js:6:9:6:54 | cmd | execa.js:33:22:33:24 | cmd | provenance |  |
+| execa.js:6:9:6:54 | cmd | execa.js:34:22:34:24 | cmd | provenance |  |
+| execa.js:6:15:6:38 | url.par ... , true) | execa.js:6:9:6:54 | cmd | provenance |  |
+| execa.js:6:25:6:31 | req.url | execa.js:6:15:6:38 | url.par ... , true) | provenance |  |
+| execa.js:7:9:7:53 | arg1 | execa.js:30:30:30:33 | arg1 | provenance |  |
+| execa.js:7:9:7:53 | arg1 | execa.js:31:30:31:33 | arg1 | provenance |  |
+| execa.js:7:9:7:53 | arg1 | execa.js:33:28:33:31 | arg1 | provenance |  |
+| execa.js:7:9:7:53 | arg1 | execa.js:34:28:34:31 | arg1 | provenance |  |
+| execa.js:7:16:7:39 | url.par ... , true) | execa.js:7:9:7:53 | arg1 | provenance |  |
+| execa.js:7:26:7:32 | req.url | execa.js:7:16:7:39 | url.par ... , true) | provenance |  |
+| execa.js:8:9:8:53 | arg2 | execa.js:30:37:30:40 | arg2 | provenance |  |
+| execa.js:8:9:8:53 | arg2 | execa.js:31:37:31:40 | arg2 | provenance |  |
+| execa.js:8:9:8:53 | arg2 | execa.js:33:35:33:38 | arg2 | provenance |  |
+| execa.js:8:9:8:53 | arg2 | execa.js:34:35:34:38 | arg2 | provenance |  |
+| execa.js:8:16:8:39 | url.par ... , true) | execa.js:8:9:8:53 | arg2 | provenance |  |
+| execa.js:8:26:8:32 | req.url | execa.js:8:16:8:39 | url.par ... , true) | provenance |  |
+| execa.js:9:9:9:53 | arg3 | execa.js:30:44:30:47 | arg3 | provenance |  |
+| execa.js:9:9:9:53 | arg3 | execa.js:31:44:31:47 | arg3 | provenance |  |
+| execa.js:9:9:9:53 | arg3 | execa.js:33:42:33:45 | arg3 | provenance |  |
+| execa.js:9:9:9:53 | arg3 | execa.js:34:42:34:45 | arg3 | provenance |  |
+| execa.js:9:16:9:39 | url.par ... , true) | execa.js:9:9:9:53 | arg3 | provenance |  |
+| execa.js:9:26:9:32 | req.url | execa.js:9:16:9:39 | url.par ... , true) | provenance |  |
+| execa.js:30:24:30:26 | cmd | execa.js:30:24:30:47 | cmd + a ...  + arg3 | provenance |  |
+| execa.js:30:30:30:33 | arg1 | execa.js:30:24:30:47 | cmd + a ...  + arg3 | provenance |  |
+| execa.js:30:37:30:40 | arg2 | execa.js:30:24:30:47 | cmd + a ...  + arg3 | provenance |  |
+| execa.js:30:44:30:47 | arg3 | execa.js:30:24:30:47 | cmd + a ...  + arg3 | provenance |  |
+| execa.js:31:24:31:26 | cmd | execa.js:31:24:31:47 | cmd + a ...  + arg3 | provenance |  |
+| execa.js:31:30:31:33 | arg1 | execa.js:31:24:31:47 | cmd + a ...  + arg3 | provenance |  |
+| execa.js:31:37:31:40 | arg2 | execa.js:31:24:31:47 | cmd + a ...  + arg3 | provenance |  |
+| execa.js:31:44:31:47 | arg3 | execa.js:31:24:31:47 | cmd + a ...  + arg3 | provenance |  |
+| execa.js:33:22:33:24 | cmd | execa.js:33:22:33:45 | cmd + a ...  + arg3 | provenance |  |
+| execa.js:33:28:33:31 | arg1 | execa.js:33:22:33:45 | cmd + a ...  + arg3 | provenance |  |
+| execa.js:33:35:33:38 | arg2 | execa.js:33:22:33:45 | cmd + a ...  + arg3 | provenance |  |
+| execa.js:33:42:33:45 | arg3 | execa.js:33:22:33:45 | cmd + a ...  + arg3 | provenance |  |
+| execa.js:34:22:34:24 | cmd | execa.js:34:22:34:45 | cmd + a ...  + arg3 | provenance |  |
+| execa.js:34:28:34:31 | arg1 | execa.js:34:22:34:45 | cmd + a ...  + arg3 | provenance |  |
+| execa.js:34:35:34:38 | arg2 | execa.js:34:22:34:45 | cmd + a ...  + arg3 | provenance |  |
+| execa.js:34:42:34:45 | arg3 | execa.js:34:22:34:45 | cmd + a ...  + arg3 | provenance |  |
 | form-parsers.js:9:19:9:26 | req.file | form-parsers.js:9:8:9:39 | "touch  ... nalname | provenance |  |
 | form-parsers.js:13:3:13:11 | req.files | form-parsers.js:13:21:13:24 | file | provenance |  |
 | form-parsers.js:13:21:13:24 | file | form-parsers.js:14:21:14:24 | file | provenance |  |
@@ -216,6 +294,49 @@ nodes
 | execSeries.js:18:34:18:40 | req.url | semmle.label | req.url |
 | execSeries.js:19:12:19:16 | [cmd] [0] | semmle.label | [cmd] [0] |
 | execSeries.js:19:13:19:15 | cmd | semmle.label | cmd |
+| execa.js:6:9:6:54 | cmd | semmle.label | cmd |
+| execa.js:6:15:6:38 | url.par ... , true) | semmle.label | url.par ... , true) |
+| execa.js:6:25:6:31 | req.url | semmle.label | req.url |
+| execa.js:7:9:7:53 | arg1 | semmle.label | arg1 |
+| execa.js:7:16:7:39 | url.par ... , true) | semmle.label | url.par ... , true) |
+| execa.js:7:26:7:32 | req.url | semmle.label | req.url |
+| execa.js:8:9:8:53 | arg2 | semmle.label | arg2 |
+| execa.js:8:16:8:39 | url.par ... , true) | semmle.label | url.par ... , true) |
+| execa.js:8:26:8:32 | req.url | semmle.label | req.url |
+| execa.js:9:9:9:53 | arg3 | semmle.label | arg3 |
+| execa.js:9:16:9:39 | url.par ... , true) | semmle.label | url.par ... , true) |
+| execa.js:9:26:9:32 | req.url | semmle.label | req.url |
+| execa.js:11:15:11:17 | cmd | semmle.label | cmd |
+| execa.js:13:32:13:34 | cmd | semmle.label | cmd |
+| execa.js:14:31:14:33 | cmd | semmle.label | cmd |
+| execa.js:17:14:17:16 | cmd | semmle.label | cmd |
+| execa.js:19:32:19:34 | cmd | semmle.label | cmd |
+| execa.js:20:33:20:35 | cmd | semmle.label | cmd |
+| execa.js:23:17:23:19 | cmd | semmle.label | cmd |
+| execa.js:24:17:24:19 | cmd | semmle.label | cmd |
+| execa.js:25:17:25:19 | cmd | semmle.label | cmd |
+| execa.js:27:15:27:17 | cmd | semmle.label | cmd |
+| execa.js:28:15:28:17 | cmd | semmle.label | cmd |
+| execa.js:30:24:30:26 | cmd | semmle.label | cmd |
+| execa.js:30:24:30:47 | cmd + a ...  + arg3 | semmle.label | cmd + a ...  + arg3 |
+| execa.js:30:30:30:33 | arg1 | semmle.label | arg1 |
+| execa.js:30:37:30:40 | arg2 | semmle.label | arg2 |
+| execa.js:30:44:30:47 | arg3 | semmle.label | arg3 |
+| execa.js:31:24:31:26 | cmd | semmle.label | cmd |
+| execa.js:31:24:31:47 | cmd + a ...  + arg3 | semmle.label | cmd + a ...  + arg3 |
+| execa.js:31:30:31:33 | arg1 | semmle.label | arg1 |
+| execa.js:31:37:31:40 | arg2 | semmle.label | arg2 |
+| execa.js:31:44:31:47 | arg3 | semmle.label | arg3 |
+| execa.js:33:22:33:24 | cmd | semmle.label | cmd |
+| execa.js:33:22:33:45 | cmd + a ...  + arg3 | semmle.label | cmd + a ...  + arg3 |
+| execa.js:33:28:33:31 | arg1 | semmle.label | arg1 |
+| execa.js:33:35:33:38 | arg2 | semmle.label | arg2 |
+| execa.js:33:42:33:45 | arg3 | semmle.label | arg3 |
+| execa.js:34:22:34:24 | cmd | semmle.label | cmd |
+| execa.js:34:22:34:45 | cmd + a ...  + arg3 | semmle.label | cmd + a ...  + arg3 |
+| execa.js:34:28:34:31 | arg1 | semmle.label | arg1 |
+| execa.js:34:35:34:38 | arg2 | semmle.label | arg2 |
+| execa.js:34:42:34:45 | arg3 | semmle.label | arg3 |
 | form-parsers.js:9:8:9:39 | "touch  ... nalname | semmle.label | "touch  ... nalname |
 | form-parsers.js:9:19:9:26 | req.file | semmle.label | req.file |
 | form-parsers.js:13:3:13:11 | req.files | semmle.label | req.files |
--- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execa.js
+++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execa.js
@@ -0,0 +1,35 @@
+import { execa, execaSync, execaCommand, execaCommandSync, $ } from 'execa';
+import http from 'node:http'
+import url from 'url'
+
+http.createServer(async function (req, res) {
+    let cmd = url.parse(req.url, true).query["cmd"][0]; // $Source
+    let arg1 = url.parse(req.url, true).query["arg1"]; // $Source
+    let arg2 = url.parse(req.url, true).query["arg2"]; // $Source
+    let arg3 = url.parse(req.url, true).query["arg3"]; // $Source
+
+    await $`${cmd} ${arg1} ${arg2} ${arg3}`; // $Alert
+    await $`ssh ${arg1} ${arg2} ${arg3}`; // safely escapes variables, preventing shell injection.
+    $({ shell: false }).sync`${cmd} ${arg1} ${arg2} ${arg3}`; // $Alert
+    $({ shell: true }).sync`${cmd} ${arg1} ${arg2} ${arg3}`; // $Alert
+    $({ shell: false }).sync`ssh ${arg1} ${arg2} ${arg3}`; // safely escapes variables, preventing shell injection.
+
+    $.sync`${cmd} ${arg1} ${arg2} ${arg3}`; // $Alert
+    $.sync`ssh ${arg1} ${arg2} ${arg3}`; // safely escapes variables, preventing shell injection.
+    await $({ shell: true })`${cmd} ${arg1} ${arg2} ${arg3}`; // $Alert
+    await $({ shell: false })`${cmd} ${arg1} ${arg2} ${arg3}`; // $Alert
+    await $({ shell: false })`ssh ${arg1} ${arg2} ${arg3}`; // safely escapes variables, preventing shell injection.
+
+    await execa(cmd, [arg1, arg2, arg3]); // $Alert
+    await execa(cmd, { shell: true }); // $Alert
+    await execa(cmd, [arg1, arg2, arg3], { shell: true }); // $Alert
+
+    execaSync(cmd, [arg1, arg2, arg3]); // $Alert
+    execaSync(cmd, [arg1, arg2, arg3], { shell: true }); // $Alert
+
+    await execaCommand(cmd + arg1 + arg2 + arg3); // $Alert
+    await execaCommand(cmd + arg1 + arg2 + arg3, { shell: true }); // $Alert
+
+    execaCommandSync(cmd + arg1 + arg2 + arg3); // $Alert
+    execaCommandSync(cmd + arg1 + arg2 + arg3, { shell: true }); // $Alert
+});
--- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
@@ -65,7 +65,8 @@
 | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | This code execution depends on a $@. | module.js:11:17:11:30 | req.query.code | user-provided value |
 | react-native.js:8:32:8:38 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:32:8:38 | tainted | This code execution depends on a $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
 | react-native.js:10:23:10:29 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:10:23:10:29 | tainted | This code execution depends on a $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
-| react.js:10:56:10:77 | documen ... on.hash | react.js:10:56:10:77 | documen ... on.hash | react.js:10:56:10:77 | documen ... on.hash | This code execution depends on a $@. | react.js:10:56:10:77 | documen ... on.hash | user-provided value |
+| react.js:11:56:11:77 | documen ... on.hash | react.js:11:56:11:77 | documen ... on.hash | react.js:11:56:11:77 | documen ... on.hash | This code execution depends on a $@. | react.js:11:56:11:77 | documen ... on.hash | user-provided value |
+| react.js:25:8:25:11 | data | react-server-function.js:3:35:3:35 | x | react.js:25:8:25:11 | data | This code execution depends on a $@. | react-server-function.js:3:35:3:35 | x | user-provided value |
 | template-sinks.js:20:17:20:23 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:20:17:20:23 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value |
 | template-sinks.js:21:16:21:22 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:21:16:21:22 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value |
 | template-sinks.js:22:18:22:24 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:22:18:22:24 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value |
@@ -156,6 +157,12 @@ edges
 | react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted | provenance |  |
 | react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted | provenance |  |
 | react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | provenance |  |
+| react-server-function.js:3:35:3:35 | x | react-server-function.js:4:12:4:12 | x | provenance |  |
+| react-server-function.js:4:12:4:12 | x | react-server-function.js:4:12:4:29 | x + " from server" | provenance |  |
+| react-server-function.js:4:12:4:29 | x + " from server" | react.js:24:20:24:44 | echoSer ... value") [PromiseValue] | provenance |  |
+| react.js:24:9:24:45 | data | react.js:25:8:25:11 | data | provenance |  |
+| react.js:24:16:24:45 | use(ech ... alue")) | react.js:24:9:24:45 | data | provenance |  |
+| react.js:24:20:24:44 | echoSer ... value") [PromiseValue] | react.js:24:16:24:45 | use(ech ... alue")) | provenance |  |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:20:17:20:23 | tainted | provenance |  |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:21:16:21:22 | tainted | provenance |  |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:22:18:22:24 | tainted | provenance |  |
@@ -287,7 +294,14 @@ nodes
 | react-native.js:7:17:7:33 | req.param("code") | semmle.label | req.param("code") |
 | react-native.js:8:32:8:38 | tainted | semmle.label | tainted |
 | react-native.js:10:23:10:29 | tainted | semmle.label | tainted |
-| react.js:10:56:10:77 | documen ... on.hash | semmle.label | documen ... on.hash |
+| react-server-function.js:3:35:3:35 | x | semmle.label | x |
+| react-server-function.js:4:12:4:12 | x | semmle.label | x |
+| react-server-function.js:4:12:4:29 | x + " from server" | semmle.label | x + " from server" |
+| react.js:11:56:11:77 | documen ... on.hash | semmle.label | documen ... on.hash |
+| react.js:24:9:24:45 | data | semmle.label | data |
+| react.js:24:16:24:45 | use(ech ... alue")) | semmle.label | use(ech ... alue")) |
+| react.js:24:20:24:44 | echoSer ... value") [PromiseValue] | semmle.label | echoSer ... value") [PromiseValue] |
+| react.js:25:8:25:11 | data | semmle.label | data |
 | template-sinks.js:18:9:18:31 | tainted | semmle.label | tainted |
 | template-sinks.js:18:19:18:31 | req.query.foo | semmle.label | req.query.foo |
 | template-sinks.js:20:17:20:23 | tainted | semmle.label | tainted |
--- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected
@@ -58,6 +58,12 @@ edges
 | react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted | provenance |  |
 | react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted | provenance |  |
 | react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | provenance |  |
+| react-server-function.js:3:35:3:35 | x | react-server-function.js:4:12:4:12 | x | provenance |  |
+| react-server-function.js:4:12:4:12 | x | react-server-function.js:4:12:4:29 | x + " from server" | provenance |  |
+| react-server-function.js:4:12:4:29 | x + " from server" | react.js:24:20:24:44 | echoSer ... value") [PromiseValue] | provenance |  |
+| react.js:24:9:24:45 | data | react.js:25:8:25:11 | data | provenance |  |
+| react.js:24:16:24:45 | use(ech ... alue")) | react.js:24:9:24:45 | data | provenance |  |
+| react.js:24:20:24:44 | echoSer ... value") [PromiseValue] | react.js:24:16:24:45 | use(ech ... alue")) | provenance |  |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:20:17:20:23 | tainted | provenance |  |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:21:16:21:22 | tainted | provenance |  |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:22:18:22:24 | tainted | provenance |  |
@@ -191,7 +197,14 @@ nodes
 | react-native.js:7:17:7:33 | req.param("code") | semmle.label | req.param("code") |
 | react-native.js:8:32:8:38 | tainted | semmle.label | tainted |
 | react-native.js:10:23:10:29 | tainted | semmle.label | tainted |
-| react.js:10:56:10:77 | documen ... on.hash | semmle.label | documen ... on.hash |
+| react-server-function.js:3:35:3:35 | x | semmle.label | x |
+| react-server-function.js:4:12:4:12 | x | semmle.label | x |
+| react-server-function.js:4:12:4:29 | x + " from server" | semmle.label | x + " from server" |
+| react.js:11:56:11:77 | documen ... on.hash | semmle.label | documen ... on.hash |
+| react.js:24:9:24:45 | data | semmle.label | data |
+| react.js:24:16:24:45 | use(ech ... alue")) | semmle.label | use(ech ... alue")) |
+| react.js:24:20:24:44 | echoSer ... value") [PromiseValue] | semmle.label | echoSer ... value") [PromiseValue] |
+| react.js:25:8:25:11 | data | semmle.label | data |
 | template-sinks.js:18:9:18:31 | tainted | semmle.label | tainted |
 | template-sinks.js:18:19:18:31 | req.query.foo | semmle.label | req.query.foo |
 | template-sinks.js:20:17:20:23 | tainted | semmle.label | tainted |
--- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/react-server-function.js
+++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/react-server-function.js
@@ -0,0 +1,5 @@
+"use server";
+
+export async function echoService(x) { // $ Source[js/code-injection]
+    return x + " from server";
+}
--- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/react.js
+++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/react.js
@@ -1,6 +1,7 @@
-import React from "react";
+import React, { use } from "react";
 import {Helmet} from "react-helmet";
- 
+import { echoService } from "./react-server-function";
+
 class Application extends React.Component {
  render () {
    return (
@@ -14,4 +15,12 @@ class Application extends React.Component {
  }
 };

-export default Application
+export default Application
+
+export function Component() {
+  // We currently get false-positive flow through server functions in cases where a safe value
+  // is passed as the argument, which flows to the return value. In this case, the tainted parameter
+  // flows out of the return value regardless.
+  const data = use(echoService("safe value"));
+  eval(data); // $ SPURIOUS: Alert[js/code-injection]
+}
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/comment_issue.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/comment_issue.yml
@@ -1,28 +0,0 @@
-on: issue_comment
-
-jobs:
-  echo-chamber:
-    runs-on: ubuntu-latest
-    steps:
-    - run: |
-        echo '${{ github.event.comment.body }}'
-
-  echo-chamber2:
-    runs-on: ubuntu-latest
-    steps:
-    - run: echo '${{ github.event.comment.body }}'
-    - run: echo '${{ github.event.issue.body }}'
-    - run: echo '${{ github.event.issue.title }}'
-
-  echo-chamber3:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/github-script@v3
-      with:
-        script: console.log('${{ github.event.comment.body }}')
-    - uses: actions/github-script@v3
-      with:
-        script: console.log('${{ github.event.issue.body }}')
-    - uses: actions/github-script@v3
-      with:
-        script: console.log('${{ github.event.issue.title }}')
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/comment_issue_newline.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/comment_issue_newline.yml
@@ -1,10 +0,0 @@
-on: issue_comment
-
-# same as comment_issue but this file ends with a line break
-
-jobs:
-  echo-chamber:
-    runs-on: ubuntu-latest
-    steps:
-      - run: |
-          echo '${{ github.event.comment.body }}'
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/discussion.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/discussion.yml
@@ -1,8 +0,0 @@
-on: discussion
-
-jobs:
-  echo-chamber:
-    runs-on: ubuntu-latest
-    steps:
-    - run: echo '${{ github.event.discussion.title }}'
-    - run: echo '${{ github.event.discussion.body }}'
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/discussion_comment.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/discussion_comment.yml
@@ -1,9 +0,0 @@
-on: discussion_comment
-
-jobs:
-  echo-chamber:
-    runs-on: ubuntu-latest
-    steps:
-    - run: echo '${{ github.event.discussion.title }}'
-    - run: echo '${{ github.event.discussion.body }}'
-    - run: echo '${{ github.event.comment.body }}'
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/gollum.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/gollum.yml
@@ -1,11 +0,0 @@
-on: gollum
-
-jobs:
-  echo-chamber:
-    runs-on: ubuntu-latest
-    steps:
-    - run: echo '${{ github.event.pages[1].title }}'
-    - run: echo '${{ github.event.pages[11].title }}'
-    - run: echo '${{ github.event.pages[0].page_name }}'
-    - run: echo '${{ github.event.pages[2222].page_name }}'
-    - run: echo '${{ toJSON(github.event.pages.*.title) }}' # safe
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/issues.yaml
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/issues.yaml
@@ -1,20 +0,0 @@
-on: issues
-
-env:
-  global_env: ${{ github.event.issue.title }}
-  test: test
-
-jobs:
-  echo-chamber:
-    env:
-      job_env: ${{ github.event.issue.title }}
-    runs-on: ubuntu-latest
-    steps:
-    - run: echo '${{ github.event.issue.title }}'
-    - run: echo '${{ github.event.issue.body }}'
-    - run: echo '${{ env.global_env }}'
-    - run: echo '${{ env.test }}'
-    - run: echo '${{ env.job_env }}'
-    - run: echo '${{ env.step_env }}'
-      env:
-        step_env: ${{ github.event.issue.title }}
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/pull_request_review.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/pull_request_review.yml
@@ -1,14 +0,0 @@
-on: pull_request_review
-
-jobs:
-  echo-chamber:
-    runs-on: ubuntu-latest
-    steps:
-    - run: echo '${{ github.event.pull_request.title }}'
-    - run: echo '${{ github.event.pull_request.body }}'
-    - run: echo '${{ github.event.pull_request.head.label }}'
-    - run: echo '${{ github.event.pull_request.head.repo.default_branch }}'
-    - run: echo '${{ github.event.pull_request.head.repo.description }}'
-    - run: echo '${{ github.event.pull_request.head.repo.homepage }}'
-    - run: echo '${{ github.event.pull_request.head.ref }}'
-    - run: echo '${{ github.event.review.body }}'
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/pull_request_review_comment.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/pull_request_review_comment.yml
@@ -1,14 +0,0 @@
-on: pull_request_review_comment
-
-jobs:
-  echo-chamber:
-    runs-on: ubuntu-latest
-    steps:
-    - run: echo '${{ github.event.pull_request.title }}'
-    - run: echo '${{ github.event.pull_request.body }}'
-    - run: echo '${{ github.event.pull_request.head.label }}'
-    - run: echo '${{ github.event.pull_request.head.repo.default_branch }}'
-    - run: echo '${{ github.event.pull_request.head.repo.description }}'
-    - run: echo '${{ github.event.pull_request.head.repo.homepage }}'
-    - run: echo '${{ github.event.pull_request.head.ref }}'
-    - run: echo '${{ github.event.comment.body }}'
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/pull_request_target.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/pull_request_target.yml
@@ -1,16 +0,0 @@
-on: pull_request_target
-
-jobs:
-  echo-chamber:
-    runs-on: ubuntu-latest
-    steps:
-    - run: echo '${{ github.event.issue.title }}' # not defined
-    - run: echo '${{ github.event.issue.body }}' # not defined
-    - run: echo '${{ github.event.pull_request.title }}'
-    - run: echo '${{ github.event.pull_request.body }}'
-    - run: echo '${{ github.event.pull_request.head.label }}'
-    - run: echo '${{ github.event.pull_request.head.repo.default_branch }}'
-    - run: echo '${{ github.event.pull_request.head.repo.description }}'
-    - run: echo '${{ github.event.pull_request.head.repo.homepage }}'
-    - run: echo '${{ github.event.pull_request.head.ref }}'
-    - run: echo '${{ github.head_ref }}'
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/push.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/push.yml
@@ -1,16 +0,0 @@
-on: push
-
-jobs:
-  echo-chamber:
-    runs-on: ubuntu-latest
-    steps:
-    - run: echo '${{ github.event.commits[11].message }}'
-    - run: echo '${{ github.event.commits[11].author.email }}'
-    - run: echo '${{ github.event.commits[11].author.name }}'
-    - run: echo '${{ github.event.head_commit.message }}'
-    - run: echo '${{ github.event.head_commit.author.email }}'
-    - run: echo '${{ github.event.head_commit.author.name }}'
-    - run: echo '${{ github.event.head_commit.committer.email }}'
-    - run: echo '${{ github.event.head_commit.committer.name }}'
-    - run: echo '${{ github.event.commits[11].committer.email }}'
-    - run: echo '${{ github.event.commits[11].committer.name }}'
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/workflow_run.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/workflow_run.yml
@@ -1,16 +0,0 @@
-on:
-  workflow_run:
-    workflows: [test]
-
-jobs:
-  echo-chamber:
-    runs-on: ubuntu-latest
-    steps:
-    - run: echo '${{ github.event.workflow_run.display_title }}'
-    - run: echo '${{ github.event.workflow_run.head_commit.message }}'
-    - run: echo '${{ github.event.workflow_run.head_commit.author.email }}'
-    - run: echo '${{ github.event.workflow_run.head_commit.author.name }}'
-    - run: echo '${{ github.event.workflow_run.head_commit.committer.email }}'
-    - run: echo '${{ github.event.workflow_run.head_commit.committer.name }}'
-    - run: echo '${{ github.event.workflow_run.head_branch }}'
-    - run: echo '${{ github.event.workflow_run.head_repository.description }}'
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/ExpressionInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/ExpressionInjection.expected
@@ -1,65 +0,0 @@
-| .github/workflows/comment_issue.yml:7:12:8:48 | \| | Potential injection from the ${{ github.event.comment.body }}, which may be controlled by an external user. |
-| .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | Potential injection from the ${{ github.event.comment.body }}, which may be controlled by an external user. |
-| .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | Potential injection from the ${{ github.event.issue.body }}, which may be controlled by an external user. |
-| .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | Potential injection from the ${{ github.event.issue.title }}, which may be controlled by an external user. |
-| .github/workflows/comment_issue.yml:22:17:22:63 | console ... dy }}') | Potential injection from the ${{ github.event.comment.body }}, which may be controlled by an external user. |
-| .github/workflows/comment_issue.yml:25:17:25:61 | console ... dy }}') | Potential injection from the ${{ github.event.issue.body }}, which may be controlled by an external user. |
-| .github/workflows/comment_issue.yml:28:17:28:62 | console ... le }}') | Potential injection from the ${{ github.event.issue.title }}, which may be controlled by an external user. |
-| .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | Potential injection from the ${{ github.event.comment.body }}, which may be controlled by an external user. |
-| .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | Potential injection from the ${{ github.event.discussion.title }}, which may be controlled by an external user. |
-| .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | Potential injection from the ${{ github.event.discussion.body }}, which may be controlled by an external user. |
-| .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | Potential injection from the ${{ github.event.discussion.title }}, which may be controlled by an external user. |
-| .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | Potential injection from the ${{ github.event.discussion.body }}, which may be controlled by an external user. |
-| .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | Potential injection from the ${{ github.event.comment.body }}, which may be controlled by an external user. |
-| .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | Potential injection from the ${{ github.event.pages[1].title }}, which may be controlled by an external user. |
-| .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | Potential injection from the ${{ github.event.pages[11].title }}, which may be controlled by an external user. |
-| .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | Potential injection from the ${{ github.event.pages[0].page_name }}, which may be controlled by an external user. |
-| .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | Potential injection from the ${{ github.event.pages[2222].page_name }}, which may be controlled by an external user. |
-| .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | Potential injection from the ${{ github.event.issue.title }}, which may be controlled by an external user. |
-| .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | Potential injection from the ${{ github.event.issue.body }}, which may be controlled by an external user. |
-| .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | Potential injection from the ${{ env.global_env }}, which may be controlled by an external user. |
-| .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | Potential injection from the ${{ env.job_env }}, which may be controlled by an external user. |
-| .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | Potential injection from the ${{ env.step_env }}, which may be controlled by an external user. |
-| .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | Potential injection from the ${{ github.event.pull_request.title }}, which may be controlled by an external user. |
-| .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | Potential injection from the ${{ github.event.pull_request.body }}, which may be controlled by an external user. |
-| .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | Potential injection from the ${{ github.event.pull_request.head.label }}, which may be controlled by an external user. |
-| .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | Potential injection from the ${{ github.event.pull_request.head.repo.default_branch }}, which may be controlled by an external user. |
-| .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | Potential injection from the ${{ github.event.pull_request.head.repo.description }}, which may be controlled by an external user. |
-| .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | Potential injection from the ${{ github.event.pull_request.head.repo.homepage }}, which may be controlled by an external user. |
-| .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | Potential injection from the ${{ github.event.pull_request.head.ref }}, which may be controlled by an external user. |
-| .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | Potential injection from the ${{ github.event.review.body }}, which may be controlled by an external user. |
-| .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | Potential injection from the ${{ github.event.pull_request.title }}, which may be controlled by an external user. |
-| .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | Potential injection from the ${{ github.event.pull_request.body }}, which may be controlled by an external user. |
-| .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | Potential injection from the ${{ github.event.pull_request.head.label }}, which may be controlled by an external user. |
-| .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | Potential injection from the ${{ github.event.pull_request.head.repo.default_branch }}, which may be controlled by an external user. |
-| .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | Potential injection from the ${{ github.event.pull_request.head.repo.description }}, which may be controlled by an external user. |
-| .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | Potential injection from the ${{ github.event.pull_request.head.repo.homepage }}, which may be controlled by an external user. |
-| .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | Potential injection from the ${{ github.event.pull_request.head.ref }}, which may be controlled by an external user. |
-| .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | Potential injection from the ${{ github.event.comment.body }}, which may be controlled by an external user. |
-| .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | Potential injection from the ${{ github.event.pull_request.title }}, which may be controlled by an external user. |
-| .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | Potential injection from the ${{ github.event.pull_request.body }}, which may be controlled by an external user. |
-| .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | Potential injection from the ${{ github.event.pull_request.head.label }}, which may be controlled by an external user. |
-| .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | Potential injection from the ${{ github.event.pull_request.head.repo.default_branch }}, which may be controlled by an external user. |
-| .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | Potential injection from the ${{ github.event.pull_request.head.repo.description }}, which may be controlled by an external user. |
-| .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | Potential injection from the ${{ github.event.pull_request.head.repo.homepage }}, which may be controlled by an external user. |
-| .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | Potential injection from the ${{ github.event.pull_request.head.ref }}, which may be controlled by an external user. |
-| .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | Potential injection from the ${{ github.head_ref }}, which may be controlled by an external user. |
-| .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | Potential injection from the ${{ github.event.commits[11].message }}, which may be controlled by an external user. |
-| .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | Potential injection from the ${{ github.event.commits[11].author.email }}, which may be controlled by an external user. |
-| .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | Potential injection from the ${{ github.event.commits[11].author.name }}, which may be controlled by an external user. |
-| .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | Potential injection from the ${{ github.event.head_commit.message }}, which may be controlled by an external user. |
-| .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | Potential injection from the ${{ github.event.head_commit.author.email }}, which may be controlled by an external user. |
-| .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | Potential injection from the ${{ github.event.head_commit.author.name }}, which may be controlled by an external user. |
-| .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | Potential injection from the ${{ github.event.head_commit.committer.email }}, which may be controlled by an external user. |
-| .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | Potential injection from the ${{ github.event.head_commit.committer.name }}, which may be controlled by an external user. |
-| .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | Potential injection from the ${{ github.event.commits[11].committer.email }}, which may be controlled by an external user. |
-| .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | Potential injection from the ${{ github.event.commits[11].committer.name }}, which may be controlled by an external user. |
-| .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | Potential injection from the ${{ github.event.workflow_run.display_title }}, which may be controlled by an external user. |
-| .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | Potential injection from the ${{ github.event.workflow_run.head_commit.message }}, which may be controlled by an external user. |
-| .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | Potential injection from the ${{ github.event.workflow_run.head_commit.author.email }}, which may be controlled by an external user. |
-| .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | Potential injection from the ${{ github.event.workflow_run.head_commit.author.name }}, which may be controlled by an external user. |
-| .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | Potential injection from the ${{ github.event.workflow_run.head_commit.committer.email }}, which may be controlled by an external user. |
-| .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | Potential injection from the ${{ github.event.workflow_run.head_commit.committer.name }}, which may be controlled by an external user. |
-| .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | Potential injection from the ${{ github.event.workflow_run.head_branch }}, which may be controlled by an external user. |
-| .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | Potential injection from the ${{ github.event.workflow_run.head_repository.description }}, which may be controlled by an external user. |
-| action1/action.yml:14:12:14:50 | echo '$ ... ody }}' | Potential injection from the ${{ github.event.comment.body }}, which may be controlled by an external user. |
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/ExpressionInjection.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/ExpressionInjection.qlref
@@ -1 +0,0 @@
-query: Security/CWE-094/ExpressionInjection.ql
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/action1/action.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/action1/action.yml
@@ -1,14 +0,0 @@
-name: 'test'
-description: 'test'
-branding:
-  icon: 'test'
-  color: 'test'
-inputs:
-  test:
-    description: test
-    required: false
-    default: 'test'
-runs:
-  using: "composite"
-  steps:
-    - run: echo '${{ github.event.comment.body }}'
--- a/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/action2/action.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/action2/action.yml
@@ -1,17 +0,0 @@
-name: 'Hello World'
-description: 'Greet someone and record the time'
-inputs:
-  who-to-greet:  # id of input
-    description: 'Who to greet'
-    required: true
-    default: 'World'
-outputs:
-  time: # id of output
-    description: 'The time we greeted you'
-runs:
-  using: 'docker'
-  steps: # this is actually invalid, used to test we correctly identify composite actions
-    - run: echo '${{ github.event.comment.body }}'
-  image: 'Dockerfile'
-  args:
-    - ${{ inputs.who-to-greet }}
--- a/javascript/ql/test/query-tests/Security/CWE-312/.github/workflows/test.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-312/.github/workflows/test.yml
@@ -1,87 +0,0 @@
-name: secrets-in-artifacts
-on:
-  pull_request:
-jobs:
-  test1: # VULNERABLE
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2
-        with:
-          name: file
-          path: .
-  test2: # NOT VULNERABLE
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@v4
-        with:
-          name: file
-          path: .
-  test3: # VULNERABLE
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2
-        with:
-          name: file
-          path: "*"
-  test4: # VULNERABLE
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          path: foo
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2
-        with:
-          name: file
-          path: foo
-  test5: # VULNERABLE
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          path: foo
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2
-        with:
-          name: file
-          path: foo/*
-  test6: # NOT VULNERABLE
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          path: pr 
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2
-        with:
-          name: file
-          path: foo
-  test7: # NOT VULNERABLE
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2
-        with:
-          name: file
-          path: .
-  test8: # VULNERABLE
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          persist-credentials: true
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2
-        with:
-          name: file
-          path: .
-
--- a/javascript/ql/test/query-tests/Security/CWE-312/ActionsArtifactLeak.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-312/ActionsArtifactLeak.expected
@@ -1,5 +0,0 @@
-| .github/workflows/test.yml:9:9:14:2 | name: " ... tifact" | A secret may be exposed in an artifact. |
-| .github/workflows/test.yml:27:9:32:2 | name: " ... tifact" | A secret may be exposed in an artifact. |
-| .github/workflows/test.yml:38:9:43:2 | name: " ... tifact" | A secret may be exposed in an artifact. |
-| .github/workflows/test.yml:49:9:54:2 | name: " ... tifact" | A secret may be exposed in an artifact. |
-| .github/workflows/test.yml:82:9:86:18 | name: " ... tifact" | A secret may be exposed in an artifact. |
--- a/javascript/ql/test/query-tests/Security/CWE-312/ActionsArtifactLeak.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-312/ActionsArtifactLeak.qlref
@@ -1 +0,0 @@
-query: Security/CWE-312/ActionsArtifactLeak.ql
				`@@ -1 +0,0 @@`
				`query: Security/CWE-094/ExpressionInjection.ql`
				`@@ -1 +0,0 @@`
				`query: Security/CWE-312/ActionsArtifactLeak.ql`