Merge pull request #31 from GitHubSecurityLab/new_sinks

Add security sinks
2026-01-10 21:20:22 +01:00 · 2024-03-14 19:11:27 +01:00
parent 1e64b18212 70dd7fe18f
commit 4fcd68ba5a
103 changed files with 922 additions and 5 deletions
--- a/ql/lib/ext/8398a7_action-slack.model.yml
+++ b/ql/lib/ext/8398a7_action-slack.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["8398a7/action-slack", "*", "input.custom_payload", "code-injection"]
--- a/ql/lib/ext/actions_github-script.model.yml
+++ b/ql/lib/ext/actions_github-script.model.yml
@@ -3,4 +3,4 @@ extensions:
      pack: githubsecuritylab/actions-all
      extensible: sinkModel
    data:
-      - ["actions/github-script","*","input.script","expression-injection"]
+      - ["actions/github-script", "*", "input.script", "code-injection"]
--- a/ql/lib/ext/akhileshns_heroku-deploy.model.yml
+++ b/ql/lib/ext/akhileshns_heroku-deploy.model.yml
@@ -4,3 +4,18 @@ extensions:
      extensible: summaryModel
    data:
      - ["akhileshns/heroku-deploy", "*", "input.branch", "output.status", "taint"]
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["akhileshns/heroku-deploy", "*", "input.heroku_app_name", "command-injection"]
+      - ["akhileshns/heroku-deploy", "*", "input.buildpack", "command-injection"]
+      - ["akhileshns/heroku-deploy", "*", "input.region", "command-injection"]
+      - ["akhileshns/heroku-deploy", "*", "input.stack", "command-injection"]
+      - ["akhileshns/heroku-deploy", "*", "input.team", "command-injection"]
+      - ["akhileshns/heroku-deploy", "*", "input.docker_heroku_process_type", "command-injection"]
+      - ["akhileshns/heroku-deploy", "*", "input.docker_build_args", "command-injection"]
+      - ["akhileshns/heroku-deploy", "*", "input.branch", "command-injection"]
+      - ["akhileshns/heroku-deploy", "*", "input.appdir", "command-injection"]
+      - ["akhileshns/heroku-deploy", "*", "input.heroku_api_key", "command-injection"]
+      - ["akhileshns/heroku-deploy", "*", "input.heroku_email", "command-injection"]
--- a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml
+++ b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sourceModel
+    data:
+      - ["amannn/action-semantic-pull-request", "*", "output.error_message", "pull_request_target", "PR title"]
--- a/ql/lib/ext/anchore_sbom-action.model.yml
+++ b/ql/lib/ext/anchore_sbom-action.model.yml
@@ -0,0 +1,10 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["anchore/sbom-action", "*", "input.syft-version", "command-injection"]
+      - ["anchore/sbom-action", "*", "input.format", "command-injection"]
+      - ["anchore/sbom-action", "*", "input.path", "command-injection"]
+      - ["anchore/sbom-action", "*", "input.file", "command-injection"]
+      - ["anchore/sbom-action", "*", "input.image", "command-injection"]
--- a/ql/lib/ext/anchore_scan-action.model.yml
+++ b/ql/lib/ext/anchore_scan-action.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["anchore/scan-action", "*", "input.grype-version", "command-injection"]
--- a/ql/lib/ext/andresz1_size-limit-action.model.yml
+++ b/ql/lib/ext/andresz1_size-limit-action.model.yml
@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["andresz1/size-limit-action", "*", "input.package_manager", "command-injection"]
+      - ["andresz1/size-limit-action", "*", "input.build_script", "command-injection"]
+      - ["andresz1/size-limit-action", "*", "input.script", "command-injection"]
+      - ["andresz1/size-limit-action", "*", "input.clean_script", "command-injection"]
--- a/ql/lib/ext/asdf-vm_actions.model.yml
+++ b/ql/lib/ext/asdf-vm_actions.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["asdf-vm/actions", "*", "input.before_install", "command-injection"]
--- a/ql/lib/ext/axel-op_googlejavaformat-action.model.yml
+++ b/ql/lib/ext/axel-op_googlejavaformat-action.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["axel-op/googlejavaformat-action", "*", "input.commitMessage", "command-injection"]
+      - ["axel-op/googlejavaformat-action", "*", "input.commit-message", "command-injection"]
--- a/ql/lib/ext/azure_powershell.model.yml
+++ b/ql/lib/ext/azure_powershell.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["azure/powershell", "*", "input.azPSVersion", "command-injection"]
--- a/ql/lib/ext/bahmutov_npm-install.model.yml
+++ b/ql/lib/ext/bahmutov_npm-install.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["bahmutov/npm-install", "*", "input.install-command", "command-injection"]
--- a/ql/lib/ext/blackducksoftware_github-action.model.yml
+++ b/ql/lib/ext/blackducksoftware_github-action.model.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["blackducksoftware/github-action", "*", "input.args", "command-injection"]
+      - ["blackducksoftware/github-action", "*", "input.blackduck.url", "command-injection"]
+      - ["blackducksoftware/github-action", "*", "input.blackduck.api.token", "command-injection"]
--- a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml
+++ b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml
@@ -4,3 +4,9 @@ extensions:
      extensible: summaryModel
    data:
      - ["bufbuild/buf-breaking-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"]
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["bufbuild/buf-breaking-action", "*", "input.input", "command-injection"]
+      - ["bufbuild/buf-breaking-action", "*", "input.against", "command-injection"]
--- a/ql/lib/ext/bufbuild_buf-lint-action.model.yml
+++ b/ql/lib/ext/bufbuild_buf-lint-action.model.yml
@@ -4,3 +4,8 @@ extensions:
      extensible: summaryModel
    data:
      - ["bufbuild/buf-lint-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"]
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["bufbuild/buf-lint-action", "*", "input.input", "command-injection"]
--- a/ql/lib/ext/bufbuild_buf-setup-action.model.yml
+++ b/ql/lib/ext/bufbuild_buf-setup-action.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["bufbuild/buf-setup-action", "*", "input.buf_domain", "command-injection"]
+      - ["bufbuild/buf-setup-action", "*", "input.buf_user", "command-injection"]
--- a/ql/lib/ext/cachix_cachix-action.model.yml
+++ b/ql/lib/ext/cachix_cachix-action.model.yml
@@ -4,3 +4,9 @@ extensions:
      extensible: summaryModel
    data:
      - ["cachix/cachix-action", "*", "input.signingKey", "env.CACHIX_SIGNING_KEY", "taint"]
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["cachix/cachix-action", "*", "input.installCommand", "command-injection"]
+      - ["cachix/cachix-action", "*", "input.cachixBin", "command-injection"]
--- a/ql/lib/ext/changesets_action.model.yml
+++ b/ql/lib/ext/changesets_action.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["changesets/action", "*", "input.publish", "command-injection"]
+      - ["changesets/action", "*", "input.version", "command-injection"]
--- a/ql/lib/ext/cloudflare_wrangler-action.model.yml
+++ b/ql/lib/ext/cloudflare_wrangler-action.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["cloudflare/wrangler-action", "*", "input.preCommands", "command-injection"]
+      - ["cloudflare/wrangler-action", "*", "input.postCommands", "command-injection"]
--- a/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml
+++ b/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["crazy-max/ghaction-chocolatey", "*", "input.args", "command-injection"]
--- a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml
+++ b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml
@@ -3,4 +3,4 @@ extensions:
      pack: githubsecuritylab/actions-all
      extensible: summaryModel
    data:
-      - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint"]
+      - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint"]
--- a/ql/lib/ext/cycjimmy_semantic-release-action.model.yml
+++ b/ql/lib/ext/cycjimmy_semantic-release-action.model.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["cycjimmy/semantic-release-action", "*", "input.semantic_version", "command-injection"]
+      - ["cycjimmy/semantic-release-action", "*", "input.extra_plugins", "command-injection"]
+      - ["cycjimmy/semantic-release-action", "*", "input.extends", "command-injection"]
--- a/ql/lib/ext/cypress-io_github-action.model.yml
+++ b/ql/lib/ext/cypress-io_github-action.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sourceModel
+    data:
+      - ["cypress-io/github-action", "*", "env.GH_BRANCH", "pull_request_target", "PR branch"]
--- a/ql/lib/ext/dailydotdev_action-devcard.model.yml
+++ b/ql/lib/ext/dailydotdev_action-devcard.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["dailydotdev/action-devcard", "*", "input.commit_branch", "sql-injection"]
+      - ["dailydotdev/action-devcard", "*", "input.commit_filename", "sql-injection"]
--- a/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml
+++ b/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["danielpalme/reportgenerator-github-action", "*", "input.toolpath", "command-injection"]
--- a/ql/lib/ext/daspn_private-actions-checkout.model.yml
+++ b/ql/lib/ext/daspn_private-actions-checkout.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["daspn/private-actions-checkout", "*", "input.actions_list", "command-injection"]
+      - ["daspn/private-actions-checkout", "*", "input.checkout_base_path", "command-injection"]
--- a/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml
+++ b/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["dawidd6/action-ansible-playbook", "*", "input.playbook", "command-injection"]
+      - ["dawidd6/action-ansible-playbook", "*", "input.options", "command-injection"]
--- a/ql/lib/ext/dawidd6_action-download-artifact.model.yml
+++ b/ql/lib/ext/dawidd6_action-download-artifact.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sourceModel
+    data:
+      - ["dawidd6/action-download-artifact", "*", "output.artifacts", "*", "Artifact details"]
--- a/ql/lib/ext/delaguardo_setup-clojure.model.yml
+++ b/ql/lib/ext/delaguardo_setup-clojure.model.yml
@@ -3,4 +3,4 @@ extensions:
      pack: githubsecuritylab/actions-all
      extensible: summaryModel
    data:
-      - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint"]
+      - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint"]
--- a/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml
+++ b/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml
@@ -0,0 +1,11 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["determinatesystems/magic-nix-cache-action", "*", "input.source-url", "command-injection"]
+      - ["determinatesystems/magic-nix-cache-action", "*", "input.source-tag", "command-injection"]
+      - ["determinatesystems/magic-nix-cache-action", "*", "input.source-pr", "command-injection"]
+      - ["determinatesystems/magic-nix-cache-action", "*", "input.source-branch", "command-injection"]
+      - ["determinatesystems/magic-nix-cache-action", "*", "input.source-revision", "command-injection"]
+      - ["determinatesystems/magic-nix-cache-action", "*", "input.source-binary", "command-injection"]
--- a/ql/lib/ext/docker-practice_actions-setup-docker.model.yml
+++ b/ql/lib/ext/docker-practice_actions-setup-docker.model.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["docker-practice/actions-setup-docker", "*", "input.docker_version", "command-injection"]
+      - ["docker-practice/actions-setup-docker", "*", "input.docker_channel", "command-injection"]
+      - ["docker-practice/actions-setup-docker", "*", "input.docker_daemon_json", "command-injection"]
--- a/ql/lib/ext/docker_build-push-action.model.yml
+++ b/ql/lib/ext/docker_build-push-action.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["docker/build-push-action", "*", "input.context", "code-injection"]
--- a/ql/lib/ext/endbug_latest-tag.model.yml
+++ b/ql/lib/ext/endbug_latest-tag.model.yml
@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["endbug/latest-tag", "*", "input.ref", "command-injection"]
+      - ["endbug/latest-tag", "*", "input.tag-name", "command-injection"]
+      - ["endbug/latest-tag", "*", "input.git-directory", "command-injection"]
+      - ["endbug/latest-tag", "*", "input.description", "command-injection"]
--- a/ql/lib/ext/expo_expo-github-action.model.yml
+++ b/ql/lib/ext/expo_expo-github-action.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["expo/expo-github-action", "*", "input.command", "command-injection"]
+      - ["expo/expo-github-action", "*", "input.packager", "command-injection"]
--- a/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml
+++ b/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["firebaseextended/action-hosting-deploy", "*", "input.firebaseToolsVersion", "command-injection"]
--- a/ql/lib/ext/gabrielbb_xvfb-action.model.yml
+++ b/ql/lib/ext/gabrielbb_xvfb-action.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["gabrielbb/xvfb-action", "*", "input.run", "command-injection"]
+      - ["gabrielbb/xvfb-action", "*", "input.options", "command-injection"]
--- a/ql/lib/ext/game-ci_unity-builder.model.yml
+++ b/ql/lib/ext/game-ci_unity-builder.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["game-ci/unity-builder", "*", "input.cacheKey", "command-injection"]
+      - ["game-ci/unity-builder", "*", "input.unityHubVersionOnMac", "command-injection"]
--- a/ql/lib/ext/game-ci_unity-test-runner.model.yml
+++ b/ql/lib/ext/game-ci_unity-test-runner.model.yml
@@ -3,4 +3,4 @@ extensions:
      pack: githubsecuritylab/actions-all
      extensible: summaryModel
    data:
-      - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint"]
+      - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint"]
--- a/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml
+++ b/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["gautamkrishnar/blog-post-workflow", "*", "input.item_exec", "code-injection"]
--- a/ql/lib/ext/go-semantic-release_action.model.yml
+++ b/ql/lib/ext/go-semantic-release_action.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["go-semantic-release/action", "*", "input.bin", "command-injection"]
--- a/ql/lib/ext/golangci_golangci-lint-action.model.yml
+++ b/ql/lib/ext/golangci_golangci-lint-action.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["golangci/golangci-lint-action", "*", "input.version", "command-injection"]
--- a/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml
+++ b/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["gonuit/heroku-docker-deploy", "*", "input.email", "command-injection"]
+      - ["gonuit/heroku-docker-deploy", "*", "input.heroku_api_key", "command-injection"]
--- a/ql/lib/ext/goreleaser_goreleaser-action.model.yml
+++ b/ql/lib/ext/goreleaser_goreleaser-action.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["goreleaser/goreleaser-action", "*", "input.args", "command-injection"]
--- a/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml
+++ b/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml
@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["gr2m/create-or-update-pull-request-action", "*", "input.branch", "command-injection"]
+      - ["gr2m/create-or-update-pull-request-action", "*", "input.path", "command-injection"]
+      - ["gr2m/create-or-update-pull-request-action", "*", "input.commit-message", "command-injection"]
+      - ["gr2m/create-or-update-pull-request-action", "*", "input.author", "command-injection"]
--- a/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml
+++ b/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml
@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["ilammy/msvc-dev-cmd", "*", "input.vsversion", "command-injection"]
+      - ["ilammy/msvc-dev-cmd", "*", "input.arch", "command-injection"]
+      - ["ilammy/msvc-dev-cmd", "*", "input.sdk", "command-injection"]
+      - ["ilammy/msvc-dev-cmd", "*", "input.toolset", "command-injection"]
--- a/ql/lib/ext/ilammy_setup-nasm.model.yml
+++ b/ql/lib/ext/ilammy_setup-nasm.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["ilammy/setup-nasm", "*", "input.version", "command-injection"]
+      - ["ilammy/setup-nasm", "*", "input.destination", "command-injection"]
--- a/ql/lib/ext/imjohnbo_issue-bot.model.yml
+++ b/ql/lib/ext/imjohnbo_issue-bot.model.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["imjohnbo/issue-bot", "*", "input.body", "code-injection"]
+      - ["imjohnbo/issue-bot", "*", "input.linked-comments-previous-issue-text", "code-injection"]
+      - ["imjohnbo/issue-bot", "*", "input.linked-comments-new-issue-text", "code-injection"]
--- a/ql/lib/ext/iterative_setup-cml.model.yml
+++ b/ql/lib/ext/iterative_setup-cml.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["iterative/setup-cml", "*", "input.version", "command-injection"]
--- a/ql/lib/ext/iterative_setup-dvc.model.yml
+++ b/ql/lib/ext/iterative_setup-dvc.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["iterative/setup-dvc", "*", "input.version", "command-injection"]
--- a/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml
+++ b/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml
@@ -0,0 +1,11 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["jamesives/github-pages-deploy-action", "*", "input.branch", "command-injection"]
+      - ["jamesives/github-pages-deploy-action", "*", "input.commit-message", "command-injection"]
+      - ["jamesives/github-pages-deploy-action", "*", "input.git-config-email", "command-injection"]
+      - ["jamesives/github-pages-deploy-action", "*", "input.git-config-name", "command-injection"]
+      - ["jamesives/github-pages-deploy-action", "*", "input.target-folder", "command-injection"]
+      - ["jamesives/github-pages-deploy-action", "*", "input.tag", "command-injection"]
--- a/ql/lib/ext/johnnymorganz_stylua-action.model.yml
+++ b/ql/lib/ext/johnnymorganz_stylua-action.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["johnnymorganz/stylua-action", "*", "input.args", "command-injection"]
--- a/ql/lib/ext/jurplel_install-qt-action.model.yml
+++ b/ql/lib/ext/jurplel_install-qt-action.model.yml
@@ -0,0 +1,11 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["jurplel/install-qt-action", "*", "input.version", "command-injection"]
+      - ["jurplel/install-qt-action", "*", "input.arch", "command-injection"]
+      - ["jurplel/install-qt-action", "*", "input.dir", "command-injection"]
+      - ["jurplel/install-qt-action", "*", "input.aqtversion", "command-injection"]
+      - ["jurplel/install-qt-action", "*", "input.py7zrversion", "command-injection"]
+      - ["jurplel/install-qt-action", "*", "input.extra", "command-injection"]
--- a/ql/lib/ext/jwalton_gh-ecr-push.model.yml
+++ b/ql/lib/ext/jwalton_gh-ecr-push.model.yml
@@ -4,3 +4,10 @@ extensions:
      extensible: summaryModel
    data:
      - ["jwalton/gh-ecr-push", "*", "input.image", "output.imageUrl", "taint"]
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["jwalton/gh-ecr-push", "*", "input.image", "command-injection"]
+      - ["jwalton/gh-ecr-push", "*", "input.local-image", "command-injection"]
+      - ["jwalton/gh-ecr-push", "*", "input.region", "command-injection"]
--- a/ql/lib/ext/leafo_gh-actions-lua.model.yml
+++ b/ql/lib/ext/leafo_gh-actions-lua.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["leafo/gh-actions-lua", "*", "input.luaVersion", "command-injection"]
+      - ["leafo/gh-actions-lua", "*", "input.luaCompileFlags", "command-injection"]
--- a/ql/lib/ext/leafo_gh-actions-luarocks.model.yml
+++ b/ql/lib/ext/leafo_gh-actions-luarocks.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["leafo/gh-actions-luarocks", "*", "input.withLuaPath", "command-injection"]
--- a/ql/lib/ext/lucasbento_auto-close-issues.model.yml
+++ b/ql/lib/ext/lucasbento_auto-close-issues.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["lucasbento/auto-close-issues", "*", "input.issue-close-message", "code-injection"]
--- a/ql/lib/ext/magefile_mage-action.model.yml
+++ b/ql/lib/ext/magefile_mage-action.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["magefile/mage-action", "*", "input.args", "command-injection"]
--- a/ql/lib/ext/maierj_fastlane-action.model.yml
+++ b/ql/lib/ext/maierj_fastlane-action.model.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["maierj/fastlane-action", "*", "input.lane", "command-injection"]
+      - ["maierj/fastlane-action", "*", "input.options", "command-injection"]
+      - ["maierj/fastlane-action", "*", "input.env", "command-injection"]
--- a/ql/lib/ext/manusa_actions-setup-minikube.model.yml
+++ b/ql/lib/ext/manusa_actions-setup-minikube.model.yml
@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["manusa/actions-setup-minikube", "*", "input.kubernetes_version", "command-injection"]
+      - ["manusa/actions-setup-minikube", "*", "input.driver", "command-injection"]
+      - ["manusa/actions-setup-minikube", "*", "input.container_runtime", "command-injection"]
+      - ["manusa/actions-setup-minikube", "*", "input.start_args", "command-injection"]
--- a/ql/lib/ext/mattdavis0351_actions.model.yml
+++ b/ql/lib/ext/mattdavis0351_actions.model.yml
@@ -5,3 +5,12 @@ extensions:
    data:
      - ["mattdavis0351/actions", "*", "input.image-name", "output.imageUrl", "taint"]
      - ["mattdavis0351/actions", "*", "input.tag", "output.imageUrl", "taint"]
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["mattdavis0351/actions", "*", "input.repo-token", "command-injection"]
+      - ["mattdavis0351/actions", "*", "input.dockerfile-location", "command-injection"]
+      - ["mattdavis0351/actions", "*", "input.image-name", "command-injection"]
+      - ["mattdavis0351/actions", "*", "input.dockerfile-name", "command-injection"]
+      - ["mattdavis0351/actions", "*", "input.tag", "command-injection"]
--- a/ql/lib/ext/meteorengineer_setup-meteor.model.yml
+++ b/ql/lib/ext/meteorengineer_setup-meteor.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["meteorengineer/setup-meteor", "*", "input.meteor-release", "command-injection"]
--- a/ql/lib/ext/microsoft_setup-msbuild.model.yml
+++ b/ql/lib/ext/microsoft_setup-msbuild.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["microsoft/setup-msbuild", "*", "input.vs-version", "command-injection"]
+      - ["microsoft/setup-msbuild", "*", "input.vswhere-path", "command-injection"]
--- a/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml
+++ b/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml
@@ -0,0 +1,16 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["mr-smithers-excellent/docker-build-push", "*", "input.tags", "command-injection"]
+      - ["mr-smithers-excellent/docker-build-push", "*", "input.buildArgs", "command-injection"]
+      - ["mr-smithers-excellent/docker-build-push", "*", "input.labels", "command-injection"]
+      - ["mr-smithers-excellent/docker-build-push", "*", "input.target", "command-injection"]
+      - ["mr-smithers-excellent/docker-build-push", "*", "input.directory", "command-injection"]
+      - ["mr-smithers-excellent/docker-build-push", "*", "input.platform", "command-injection"]
+      - ["mr-smithers-excellent/docker-build-push", "*", "input.image", "command-injection"]
+      - ["mr-smithers-excellent/docker-build-push", "*", "input.registry", "command-injection"]
+      - ["mr-smithers-excellent/docker-build-push", "*", "input.dockerfile", "command-injection"]
+      - ["mr-smithers-excellent/docker-build-push", "*", "input.githubOrg", "command-injection"]
+      - ["mr-smithers-excellent/docker-build-push", "*", "input.username", "command-injection"]
--- a/ql/lib/ext/msys2_setup-msys2.model.yml
+++ b/ql/lib/ext/msys2_setup-msys2.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["msys2/setup-msys2", "*", "input.install", "command-injection"]
+      - ["msys2/setup-msys2", "*", "input.pacboy", "command-injection"]
--- a/ql/lib/ext/mxschmitt_action-tmate.model.yml
+++ b/ql/lib/ext/mxschmitt_action-tmate.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["mxschmitt/action-tmate", "*", "input.tmate-server-rsa-fingerprint", "command-injection"]
+      - ["mxschmitt/action-tmate", "*", "input.tmate-server-ed25519-fingerprint", "command-injection"]
--- a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml
+++ b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml
@@ -4,3 +4,9 @@ extensions:
      extensible: summaryModel
    data:
      - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "env.EMSDK", "taint"]
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "command-injection"]
+      - ["mymindstorm/setup-emsdk", "*", "input.version", "command-injection"]
--- a/ql/lib/ext/nanasess_setup-chromedriver.model.yml
+++ b/ql/lib/ext/nanasess_setup-chromedriver.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["nanasess/setup-chromedriver", "*", "input.chromedriver-version", "command-injection"]
--- a/ql/lib/ext/nanasess_setup-php.model.yml
+++ b/ql/lib/ext/nanasess_setup-php.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["nanasess/setup-php", "*", "input.php-version", "command-injection"]
--- a/ql/lib/ext/nick-fields_retry.model.yml
+++ b/ql/lib/ext/nick-fields_retry.model.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["nick-fields/retry", "*", "input.on_retry_command", "command-injection"]
+      - ["nick-fields/retry", "*", "input.new_command_on_retry", "command-injection"]
+      - ["nick-fields/retry", "*", "input.command", "command-injection"]
--- a/ql/lib/ext/octokit_graphql-action.model.yml
+++ b/ql/lib/ext/octokit_graphql-action.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["octokit/graphql-action", "*", "input.query", "request-forgery"]
--- a/ql/lib/ext/octokit_request-action.model.yml
+++ b/ql/lib/ext/octokit_request-action.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["octokit/request-action", "*", "input.route", "request-forgery"]
--- a/ql/lib/ext/olafurpg_setup-scala.model.yml
+++ b/ql/lib/ext/olafurpg_setup-scala.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["olafurpg/setup-scala", "*", "input.jabba-version", "command-injection"]
--- a/ql/lib/ext/paambaati_codeclimate-action.model.yml
+++ b/ql/lib/ext/paambaati_codeclimate-action.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["paambaati/codeclimate-action", "*", "input.coverageCommand", "command-injection"]
--- a/ql/lib/ext/peter-evans_create-pull-request.model.yml
+++ b/ql/lib/ext/peter-evans_create-pull-request.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["peter-evans/create-pull-request", "*", "input.branch", "command-injection"]
--- a/ql/lib/ext/plasmicapp_plasmic-action.model.yml
+++ b/ql/lib/ext/plasmicapp_plasmic-action.model.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["plasmicapp/plasmic-action", "*", "input.project_id", "command-injection"]
+      - ["plasmicapp/plasmic-action", "*", "input.project_api_token", "command-injection"]
+      - ["plasmicapp/plasmic-action", "*", "input.branch", "command-injection"]
--- a/ql/lib/ext/preactjs_compressed-size-action.model.yml
+++ b/ql/lib/ext/preactjs_compressed-size-action.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["preactjs/compressed-size-action", "*", "input.build-script", "command-injection"]
+      - ["preactjs/compressed-size-action", "*", "input.clean-script", "command-injection"]
--- a/ql/lib/ext/py-actions_flake8.model.yml
+++ b/ql/lib/ext/py-actions_flake8.model.yml
@@ -0,0 +1,12 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["py-actions/flake8", "*", "input.flake8-version", "command-injection"]
+      - ["py-actions/flake8", "*", "input.plugins", "command-injection"]
+      - ["py-actions/flake8", "*", "input.path", "command-injection"]
+      - ["py-actions/flake8", "*", "input.ignore", "command-injection"]
+      - ["py-actions/flake8", "*", "input.exclude", "command-injection"]
+      - ["py-actions/flake8", "*", "input.max-line-length", "command-injection"]
+      - ["py-actions/flake8", "*", "input.args", "command-injection"]
--- a/ql/lib/ext/py-actions_py-dependency-install.model.yml
+++ b/ql/lib/ext/py-actions_py-dependency-install.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["py-actions/py-dependency-install", "*", "input.path", "command-injection"]
--- a/ql/lib/ext/pyo3_maturin-action.model.yml
+++ b/ql/lib/ext/pyo3_maturin-action.model.yml
@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["pyo3/maturin-action", "*", "input.before-script-linux", "command-injection"]
+      - ["pyo3/maturin-action", "*", "input.target", "command-injection"]
+      - ["pyo3/maturin-action", "*", "input.command", "command-injection"]
+      - ["pyo3/maturin-action", "*", "input.manylinux", "command-injection"]
--- a/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml
+++ b/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml
@@ -0,0 +1,24 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["reactivecircus/android-emulator-runner", "*", "input.api-level", "command-injection"]
+      - ["reactivecircus/android-emulator-runner", "*", "input.target", "command-injection"]
+      - ["reactivecircus/android-emulator-runner", "*", "input.arch", "command-injection"]
+      - ["reactivecircus/android-emulator-runner", "*", "input.profile", "command-injection"]
+      - ["reactivecircus/android-emulator-runner", "*", "input.sdcard-path-or-size'", "command-injection"]
+      - ["reactivecircus/android-emulator-runner", "*", "input.cores", "command-injection"]
+      - ["reactivecircus/android-emulator-runner", "*", "input.ram-size", "command-injection"]
+      - ["reactivecircus/android-emulator-runner", "*", "input.heap-size", "command-injection"]
+      - ["reactivecircus/android-emulator-runner", "*", "input.disk-size", "command-injection"]
+      - ["reactivecircus/android-emulator-runner", "*", "input.emulator-options", "command-injection"]
+      - ["reactivecircus/android-emulator-runner", "*", "input.emulator-build", "command-injection"]
+      - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"]
+      - ["reactivecircus/android-emulator-runner", "*", "input.cmake", "command-injection"]
+      - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"]
+      - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"]
+      - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"]
+      - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"]
+      - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"]
+      - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"]
--- a/ql/lib/ext/reggionick_s3-deploy.model.yml
+++ b/ql/lib/ext/reggionick_s3-deploy.model.yml
@@ -0,0 +1,13 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["reggionick/s3-deploy", "*", "input.bucket", "command-injection"]
+      - ["reggionick/s3-deploy", "*", "input.bucket-region", "command-injection"]
+      - ["reggionick/s3-deploy", "*", "input.dist-id", "command-injection"]
+      - ["reggionick/s3-deploy", "*", "input.invalidation", "command-injection"]
+      - ["reggionick/s3-deploy", "*", "input.delete-removed", "command-injection"]
+      - ["reggionick/s3-deploy", "*", "input.cacheControl", "command-injection"]
+      - ["reggionick/s3-deploy", "*", "input.cache", "command-injection"]
+      - ["reggionick/s3-deploy", "*", "input.files-to-include", "command-injection"]
--- a/ql/lib/ext/renovatebot_github-action.model.yml
+++ b/ql/lib/ext/renovatebot_github-action.model.yml
@@ -0,0 +1,10 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["renovatebot/github-action", "*", "input.renovate-image", "command-injection"]
+      - ["renovatebot/github-action", "*", "input.renovate-version", "command-injection"]
+      - ["renovatebot/github-action", "*", "input.docker-cmd-file", "command-injection"]
+      - ["renovatebot/github-action", "*", "input.docker-user", "command-injection"]
+      - ["renovatebot/github-action", "*", "input.docker-volumes", "command-injection"]
--- a/ql/lib/ext/roots_issue-closer-action.model.yml
+++ b/ql/lib/ext/roots_issue-closer-action.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["roots/issue-closer-action", "*", "input.issue-close-message", "code-injection"]
+      - ["roots/issue-closer-action", "*", "input.pr-close-message", "code-injection"]
--- a/ql/lib/ext/ros-tooling_setup-ros.model.yml
+++ b/ql/lib/ext/ros-tooling_setup-ros.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["ros-tooling/setup-ros", "*", "input.required-ros-distributions", "command-injection"]
--- a/ql/lib/ext/ruby_setup-ruby.model.yml
+++ b/ql/lib/ext/ruby_setup-ruby.model.yml
@@ -4,3 +4,8 @@ extensions:
      extensible: summaryModel
    data:
      - ["ruby/setup-ruby", "*", "input.ruby-version", "output.ruby-prefix", "taint"]
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["ruby/setup-ruby", "*", "input.ruby-version", "command-injection"]
--- a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml
+++ b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml
@@ -4,3 +4,8 @@ extensions:
      extensible: summaryModel
    data:
      - ["salsify/action-detect-and-tag-new-version", "*", "input.tag-template", "output.tag", "taint"]
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["salsify/action-detect-and-tag-new-version", "*", "input.version-command", "command-injection"]
--- a/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml
+++ b/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["skitionek/notify-microsoft-teams", "*", "input.overwrite", "code-injection"]
--- a/ql/lib/ext/snow-actions_eclint.model.yml
+++ b/ql/lib/ext/snow-actions_eclint.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["snow-actions/eclint", "*", "input.args", "command-injection"]
--- a/ql/lib/ext/stackhawk_hawkscan-action.model.yml
+++ b/ql/lib/ext/stackhawk_hawkscan-action.model.yml
@@ -0,0 +1,10 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["stackhawk/hawkscan-action", "*", "input.workspace", "command-injection"]
+      - ["stackhawk/hawkscan-action", "*", "input.apiKey", "command-injection"]
+      - ["stackhawk/hawkscan-action", "*", "input.command", "command-injection"]
+      - ["stackhawk/hawkscan-action", "*", "input.args", "command-injection"]
+      - ["stackhawk/hawkscan-action", "*", "input.version", "command-injection"]
--- a/ql/lib/ext/step-security_harden-runner.model.yml
+++ b/ql/lib/ext/step-security_harden-runner.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["step-security/harden-runner", "*", "input.allowed-endpoints", "command-injection"]
--- a/ql/lib/ext/tibdex_backport.model.yml
+++ b/ql/lib/ext/tibdex_backport.model.yml
@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["tibdex/backport", "*", "input.body_template", "code-injection"]
+      - ["tibdex/backport", "*", "input.head_template", "code-injection"]
+      - ["tibdex/backport", "*", "input.labels_template", "code-injection"]
+      - ["tibdex/backport", "*", "input.title_template", "code-injection"]
--- a/ql/lib/ext/tj-actions_changed-files.model.yml
+++ b/ql/lib/ext/tj-actions_changed-files.model.yml
@@ -19,4 +19,4 @@ extensions:
      - ["tj-actions/changed-files", "*", "output.other_modified_files", "pull_request_target", "PR changed files"]
      - ["tj-actions/changed-files", "*", "output.other_deleted_files", "pull_request_target", "PR changed files"]
      - ["tj-actions/changed-files", "*", "output.modified_keys", "pull_request_target", "PR changed files"]
-      - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request_target", "PR changed files"]
+      - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request_target", "PR changed files"]
--- a/ql/lib/ext/tripss_conventional-changelog-action.model.yml
+++ b/ql/lib/ext/tripss_conventional-changelog-action.model.yml
@@ -0,0 +1,15 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["tripss/conventional-changelog-action", "*", "input.pre-release-identifier", "command-injection"]
+      - ["tripss/conventional-changelog-action", "*", "input.git-user-name", "command-injection"]
+      - ["tripss/conventional-changelog-action", "*", "input.git-user-email", "command-injection"]
+      - ["tripss/conventional-changelog-action", "*", "input.git-url", "command-injection"]
+      - ["tripss/conventional-changelog-action", "*", "input.github-token", "command-injection"]
+      - ["tripss/conventional-changelog-action", "*", "input.git-pull-method", "command-injection"]
+      - ["tripss/conventional-changelog-action", "*", "input.fallback-version", "command-injection"]
+      - ["tripss/conventional-changelog-action", "*", "input.git-message", "command-injection"]
+      - ["tripss/conventional-changelog-action", "*", "input.git-branch", "command-injection"]
+      - ["tripss/conventional-changelog-action", "*", "input.tag-prefix'", "command-injection"]
--- a/ql/lib/ext/tryghost_action-deploy-theme.model.yml
+++ b/ql/lib/ext/tryghost_action-deploy-theme.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["tryghost/action-deploy-theme", "*", "input.theme-name", "command-injection"]
+      - ["tryghost/action-deploy-theme", "*", "input.exclude", "command-injection"]
--- a/ql/lib/ext/veracode_veracode-sca.model.yml
+++ b/ql/lib/ext/veracode_veracode-sca.model.yml
@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["veracode/veracode-sca", "*", "input.url", "command-injection"]
+      - ["veracode/veracode-sca", "*", "input.path", "command-injection"]
+      - ["veracode/veracode-sca", "*", "input.skip-collectors", "command-injection"]
+      - ["veracode/veracode-sca", "*", "input.url", "command-injection"]
--- a/ql/lib/ext/wearerequired_lint-action.model.yml
+++ b/ql/lib/ext/wearerequired_lint-action.model.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["wearerequired/lint-action", "*", "input.git_name", "command-injection"]
+      - ["wearerequired/lint-action", "*", "input.git_email", "command-injection"]
+      - ["wearerequired/lint-action", "*", "input.commit_message", "command-injection"]
--- a/ql/lib/ext/webfactory_ssh-agent.model.yml
+++ b/ql/lib/ext/webfactory_ssh-agent.model.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["webfactory/ssh-agent", "*", "input.ssh-agent-cmd", "command-injection"]
+      - ["webfactory/ssh-agent", "*", "input.ssh-add-cmd", "command-injection"]
+      - ["webfactory/ssh-agent", "*", "input.git-cmd", "command-injection"]
--- a/ql/lib/ext/zaproxy_action-baseline.model.yml
+++ b/ql/lib/ext/zaproxy_action-baseline.model.yml
@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["zaproxy/action-baseline", "*", "input.docker_name", "command-injection"]
+      - ["zaproxy/action-baseline", "*", "input.target", "command-injection"]
+      - ["zaproxy/action-baseline", "*", "input.rules_file_name", "command-injection"]
+      - ["zaproxy/action-baseline", "*", "input.cmd_options", "command-injection"]
--- a/ql/lib/ext/zaproxy_action-full-scan.model.yml
+++ b/ql/lib/ext/zaproxy_action-full-scan.model.yml
@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["zaproxy/action-full-scan", "*", "input.docker_name", "command-injection"]
+      - ["zaproxy/action-full-scan", "*", "input.target", "command-injection"]
+      - ["zaproxy/action-full-scan", "*", "input.rules_file_name", "command-injection"]
+      - ["zaproxy/action-full-scan", "*", "input.cmd_options", "command-injection"]
--- a/ql/src/Security/CWE-078/CommandInjection.ql
+++ b/ql/src/Security/CWE-078/CommandInjection.ql
@@ -0,0 +1,38 @@
+/**
+ * @name Command built from user-controlled sources
+ * @description Building a system command from user-controlled sources is vulnerable to insertion of
+ *              malicious code by the user.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 5.0
+ * @precision high
+ * @id actions/command-injection
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-078
+ */
+
+import actions
+import codeql.actions.TaintTracking
+import codeql.actions.dataflow.FlowSources
+import codeql.actions.dataflow.ExternalFlow
+
+private class CommandInjectionSink extends DataFlow::Node {
+  CommandInjectionSink() { externallyDefinedSink(this, "command-injection") }
+}
+
+private module MyConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
+}
+
+module MyFlow = TaintTracking::Global<MyConfig>;
+
+import MyFlow::PathGraph
+
+from MyFlow::PathNode source, MyFlow::PathNode sink
+where MyFlow::flowPath(source, sink)
+select sink.getNode(), source, sink,
+  "Potential command injection in $@, which may be controlled by an external user.", sink,
+  sink.getNode().asExpr().(Expression).getRawExpression()
--- a/ql/src/Security/CWE-078/CriticalCommandInjection.ql
+++ b/ql/src/Security/CWE-078/CriticalCommandInjection.ql
@@ -0,0 +1,44 @@
+/**
+ * @name Command built from user-controlled sources
+ * @description Building a system command from user-controlled sources is vulnerable to insertion of
+ *              malicious code by the user.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9
+ * @precision high
+ * @id actions/critical-command-injection
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-078
+ */
+
+import actions
+import codeql.actions.TaintTracking
+import codeql.actions.dataflow.FlowSources
+import codeql.actions.dataflow.ExternalFlow
+
+private class CommandInjectionSink extends DataFlow::Node {
+  CommandInjectionSink() { externallyDefinedSink(this, "command-injection") }
+}
+
+private module MyConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
+}
+
+module MyFlow = TaintTracking::Global<MyConfig>;
+
+import MyFlow::PathGraph
+
+from MyFlow::PathNode source, MyFlow::PathNode sink, Workflow w
+where
+  MyFlow::flowPath(source, sink) and
+  w = source.getNode().asExpr().getEnclosingWorkflow() and
+  (
+    w instanceof ReusableWorkflow or
+    w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent())
+  )
+select sink.getNode(), source, sink,
+  "Potential critical command injection in $@, which may be controlled by an external user.", sink,
+  sink.getNode().asExpr().(Expression).getRawExpression()
--- a/Show More
+++ b/Show More