From 41fade5feb30339cf8d453e7eb1cc0b1c7c57e7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 2 Aug 2024 12:44:43 +0200 Subject: [PATCH] feat(bash): Improve bash command parsing --- ql/lib/codeql/actions/ast/internal/Ast.qll | 2 +- ql/lib/codeql/actions/config/Config.qll | 2 +- .../.github/workflows/poisonable_steps.yml | 5 + .../library-tests/poisonable_steps.expected | 2 +- ql/test/library-tests/test.expected | 254 ++++++++++-------- .../.github/workflows/arg_injection.yml | 12 +- .../ArgumentInjectionCritical.expected | 8 + .../CWE-094/ArgumentInjectionMedium.expected | 5 + 8 files changed, 167 insertions(+), 123 deletions(-) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index e05e3a8c41c..5bb94ba8a68 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1243,7 +1243,7 @@ class RunImpl extends StepImpl { RunImpl() { this.getNode().lookup("run") = script } - string getScript() { result = script.getValue() } + string getScript() { result = script.getValue().regexpReplaceAll("\\\\\\s*\n", "") } ScalarValueImpl getScriptScalar() { result = TScalarValueNode(script) } diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll index fb1ae9af14d..e298865c468 100644 --- a/ql/lib/codeql/actions/config/Config.qll +++ b/ql/lib/codeql/actions/config/Config.qll @@ -92,7 +92,7 @@ predicate argumentInjectionSinksDataModel(string regexp, int command_group, int exists(string sub_regexp | Extensions::argumentInjectionSinksDataModel(sub_regexp, command_group, argument_group) and // capture regexp - regexp = ".*" + commandPrefixDelimiter() + sub_regexp + commandSuffixDelimiter() + ".*" + regexp = ".*" + commandPrefixDelimiter() + sub_regexp // + commandSuffixDelimiter() + ".*" ) } diff --git a/ql/test/library-tests/.github/workflows/poisonable_steps.yml b/ql/test/library-tests/.github/workflows/poisonable_steps.yml index fad7001ad5a..2e971baa050 100644 --- a/ql/test/library-tests/.github/workflows/poisonable_steps.yml +++ b/ql/test/library-tests/.github/workflows/poisonable_steps.yml @@ -39,3 +39,8 @@ jobs: - run: echo "foo" | awk -f ./config.awk > foo.txt - run: gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo - run: ./foo/cmd + - run: | + sed -e 's##TITLE#' \ + -e 's##${{ env.sot_repo }}#' \ + -e 's##${TITLE}#' \ + .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky diff --git a/ql/test/library-tests/poisonable_steps.expected b/ql/test/library-tests/poisonable_steps.expected index b164d16b603..0cd71f96ea9 100644 --- a/ql/test/library-tests/poisonable_steps.expected +++ b/ql/test/library-tests/poisonable_steps.expected @@ -30,4 +30,4 @@ | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | -| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected index dfdd843d8a3..6bedcadcdba 100644 --- a/ql/test/library-tests/test.expected +++ b/ql/test/library-tests/test.expected @@ -8,7 +8,7 @@ workflows | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline2.yml:1:1:89:35 | on: | | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | reusableWorkflows compositeActions @@ -16,14 +16,14 @@ jobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | localJobs | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/multiline2.yml:9:5:89:35 | Job: Test | | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | -| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | extJobs @@ -94,7 +94,8 @@ steps | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | -| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | | .github/workflows/test.yml:11:9:15:6 | Uses Step | | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | @@ -167,7 +168,8 @@ runSteps | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | sed -f config file.txt > foo.txt | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | echo "foo" \| awk -f ./config.awk > foo.txt | | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | -| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | sed -e 's##TITLE#' -e 's##${{ env.sot_repo }}#' -e 's##${TITLE}#' .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | @@ -185,6 +187,7 @@ runExprs | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | | .github/workflows/multiline2.yml:30:9:34:6 | Run Step | .github/workflows/multiline2.yml:32:13:32:39 | toJson(github.event) | | .github/workflows/multiline.yml:30:9:34:6 | Run Step | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | @@ -287,7 +290,8 @@ runStepChildren | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | -| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | @@ -542,142 +546,147 @@ parentNodes | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on: | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:85:9:89:29 | Run Step | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | -| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | -| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | -| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | | .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | -| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | -| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | -| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | -| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | -| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | -| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | -| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | -| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | -| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | -| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | -| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | -| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | -| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | -| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | -| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | -| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | -| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | -| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | -| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | -| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | -| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | -| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | -| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | -| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | -| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | -| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | -| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | -| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | -| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | -| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | +| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push | @@ -870,11 +879,11 @@ cfgNodes | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:1:1:41:23 | enter on: push | -| .github/workflows/poisonable_steps.yml:1:1:41:23 | exit on: push | -| .github/workflows/poisonable_steps.yml:1:1:41:23 | exit on: push (normal) | -| .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | -| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | enter on: push | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | exit on: push | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | exit on: push (normal) | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | @@ -935,8 +944,11 @@ cfgNodes | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | -| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | | .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | | .github/workflows/test.yml:1:1:40:53 | enter on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | @@ -1047,7 +1059,7 @@ dfNodes | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | @@ -1108,8 +1120,11 @@ dfNodes | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | -| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | | .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | @@ -1222,7 +1237,7 @@ nodeLocations | .github/workflows/multiline.yml:79:14:84:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:79:14:84:29 | .github/workflows/multiline.yml@79:14:84:29 | | .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:9:89:29 | .github/workflows/multiline.yml@85:9:89:29 | | .github/workflows/multiline.yml:86:14:89:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:86:14:89:29 | .github/workflows/multiline.yml@86:14:89:29 | -| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:41:23 | .github/workflows/poisonable_steps.yml@5:5:41:23 | +| .github/workflows/poisonable_steps.yml:5:5:46:111 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:46:111 | .github/workflows/poisonable_steps.yml@5:5:46:111 | | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:9:8:6 | .github/workflows/poisonable_steps.yml@7:9:8:6 | | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:14:7:30 | .github/workflows/poisonable_steps.yml@7:14:7:30 | | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:8:9:13:6 | .github/workflows/poisonable_steps.yml@8:9:13:6 | @@ -1283,8 +1298,11 @@ nodeLocations | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:39:14:39:55 | .github/workflows/poisonable_steps.yml@39:14:39:55 | | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:40:9:41:6 | .github/workflows/poisonable_steps.yml@40:9:41:6 | | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:14:40:73 | .github/workflows/poisonable_steps.yml@40:14:40:73 | -| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | .github/workflows/poisonable_steps.yml:41:9:41:23 | .github/workflows/poisonable_steps.yml@41:9:41:23 | +| .github/workflows/poisonable_steps.yml:41:9:42:6 | Run Step | .github/workflows/poisonable_steps.yml:41:9:42:6 | .github/workflows/poisonable_steps.yml@41:9:42:6 | | .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:41:14:41:22 | .github/workflows/poisonable_steps.yml@41:14:41:22 | +| .github/workflows/poisonable_steps.yml:42:9:46:111 | Run Step | .github/workflows/poisonable_steps.yml:42:9:46:111 | .github/workflows/poisonable_steps.yml@42:9:46:111 | +| .github/workflows/poisonable_steps.yml:42:14:46:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/poisonable_steps.yml:42:14:46:111 | .github/workflows/poisonable_steps.yml@42:14:46:111 | +| .github/workflows/poisonable_steps.yml:44:32:44:50 | env.sot_repo | .github/workflows/poisonable_steps.yml:44:32:44:50 | .github/workflows/poisonable_steps.yml@44:32:44:50 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | @@ -1306,7 +1324,7 @@ scopes | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline2.yml:1:1:89:35 | on: | | .github/workflows/multiline.yml:1:1:89:29 | on: | -| .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push | +| .github/workflows/poisonable_steps.yml:1:1:46:111 | on: push | | .github/workflows/test.yml:1:1:40:53 | on: push | sources | ahmadnassri/action-changed-files | * | output.files | filename | manual | diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml index 3f2f30a78a0..09e540a0f1b 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml @@ -17,6 +17,14 @@ jobs: - run: awk "BEGIN {$TITLE}" - run: sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json - run: | - # We consider | as a shell pipe so this one is not reported yet until - # we can better identify all the commands in a shell script sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json + - run: | + sed -e 's##${TITLE}#' \ + -e 's##${{ env.sot_repo }}#' \ + -e 's##TITLE#' \ + .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky + - run: | + sed -e 's##TITLE#' \ + -e 's##${{ env.sot_repo }}#' \ + -e 's##${TITLE}#' \ + .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected index b5d25bf0d13..b5df9a2cbd3 100644 --- a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected @@ -3,6 +3,8 @@ edges | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | | | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | | | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | | nodes | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" | @@ -10,6 +12,9 @@ nodes | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | semmle.label | awk "BEGIN {$TITLE}" | | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | semmle.label | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | +| .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | +| .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | subpaths #select | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | sed | @@ -17,3 +22,6 @@ subpaths | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | sed | | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | awk | | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | sed | +| .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | +| .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | +| .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | diff --git a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected index dfbf87174cc..73413f51a39 100644 --- a/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected @@ -3,6 +3,8 @@ edges | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | | | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | | | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | | +| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | provenance | | nodes | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | semmle.label | github.event.issue.title | | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" | @@ -10,5 +12,8 @@ nodes | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | | .github/workflows/arg_injection.yml:17:14:17:33 | awk "BEGIN {$TITLE}" | semmle.label | awk "BEGIN {$TITLE}" | | .github/workflows/arg_injection.yml:18:14:18:86 | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | semmle.label | sed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json | +| .github/workflows/arg_injection.yml:19:14:20:84 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | semmle.label | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | +| .github/workflows/arg_injection.yml:21:14:25:111 | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | +| .github/workflows/arg_injection.yml:26:14:30:111 | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | semmle.label | sed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | subpaths #select